Security Audit Tips and Tricks?

blamethenetwork:

Thanks for the insight.  Any other ideas on anything other than the first paragraph?  AV is a major concern, but I am also hoping to find methods to detect any holes in my client's boat.

If you know linux there are some very powerful network tools, and intrusion detection available.  What exactly are you looking to try on this network?

blame-

Me:
"Backtrack 4 Live CD is of interest, but I have very limited knowledge of it's functionailty and capabilities."

You:
"If you know linux there are some very powerful network tools, and intrusion detection available. What exactly are you looking to try on this network?"

I'm not sure if my question is not specific in point, or if you did not read it entirely.  Please do not take offense, as I do respect anyone who takes the time to view my questions, but I am not sure of how to word my question anymore specific.  Perhaps, I should have asked, "Will my client's network be hacked from the outside world?"  I am simply wanting to quite literally attack my client's network in an attempt to either crash it or simulate an attack and monitor the firewall logs to ensure that their network is protected.  If the firewall fails, I would also want to then attempt any tactics used to get into the server itself.  LOL.  Perhaps I should have asked, "How do I hack my own client's network before someone else does."

LOL I like that response.  So you are looking for a penetration test.  If you want a very general firewall test shields up ( https://www.grc.com/x/ne.dll?bh0bkyd2 )  is free and gives you a decent idea of possible vulnerabilities in your firewall config.  Once you see what ports are visible to the outside world you can start tring various exploits to gain access.  Hopefully this will at least give you a starting point.

This is a good utility, but I want to hit my server externally from a comptuer that I am controlling.  This website requires firewall being scanned to request the scan.  I want to scan the firewall from my own computer, plus I want my computer to be outside of the firewall and ISP completely.  I want to test this from a cell card.

Great.  Thank you very much.

stlbridge,

For a good continues security scan Nessus comes to my mind. It actively scans the network for unpatched machines and other security holes. You might want to check it out, it's not very cheap though for a small company.

Regards,

LucF

Wyliecoyoteuk, I have used nmap.  It's pretty handy, but very cryptic.  Any other thoughts?

Thanks for your input.

LucF,
I want to scan externally just as someone who was actually attempting to hit my server would.  The tool does seem to be very useful, but I want to use the same tools that most others would use from the outside world.

I'm not worried about my computer being a bot (in this question).  I am worried about attacks.  Such as DoS, for example.

Why worry about a DoS? It's not like you can stop it at your end if it's a decent one. A bandwidth consuming DoS will have to be taken care of at your providers routers, as soon as it reaches your WAN connection you're off the net anyways.

If a simple WAN request would trigger a DoS without consuming your bandwidth, it means a security issue on which a patch is most likely already available. Therefor, again the need to check for patches on the systems.

LucF

Luc, I appreciate your help, but telling me that patches are the solution... do you really expect this to be accepted?

stlbridge,

I'm guessing you might want to read all my comments again, in no way I'm suggesting that patching is the solution to everything. What I'm trying to explain is that your way of thinking about security is far from reality.

Just for the fun of it, as I see several port scanners mentioned. Would you feel more secure with your Windows XP SP2 computer with enabled firewall connected directly to your modem (which will give you "full stealth" on most tests) or behind a $5000 IDS/IPS which is correctly configured (which might have some open ports as they're needed to serve services)

LucF

Are you suggesting that a hardware firewall is inferior to Windows Firewall?  I realize that I am the one asking the question, and I don't mean to seem confrontational, but I do not see your logic.  If you could explain further?  I feel like I'm asking a question that is almost impossible to answer, but then again, it seems so simple of a question-  How would a hacker attempt to destroy my server?  What methods would he use?  This seems black and white, yet it isn't?

stlbridge,

This will be my last attempt at trying to make you take another look at security as you obviously don't like my replies, it's not just what you can spot from the internet side. In none of my comments I've ever doubted your idea of doing the best you can, however you've been showing that you do the best you know.

1) Why would a "hacker" want to destroy your server?
- You make backups don't you? So they can't.
- If a hacker manages to take ownership of your server with a decent bandwidth, don't you think they have better uses for it?
2) If a "hacker" would even want to destroy your server, why take the difficult route?
- Users accessing that server are very likely to make mistakes (visiting the wrong website, giving their passwords to others etc.)
3) This isn't black & white at all.
- You can make your system seemingly from the internet as secure as you want. Just pull the ethernet plug from your Modem.
- Users will still be able to accidentally leak information even though they don't know it.

Please let me know your thoughts.

Regards,

LucF

To add, I'm not saying that a hardware firewall is inferior to the Windows firewall. What I'm trying to say is that the results from a portscan might give you false ideas of security.

LucF

You put "hacker" in quotes.  Is it childish that I am using such terms?

stlbridge,
You need to absolutely understand that 'patches' are a critical part of any security audit.
I have done more security audits than I have hair on my head (inside joke) and had available every tool in the IT world.
The first - the very first - test in every audit I have ever done is to verify that the OS patches are ALL in place - on every box on the network - and that every box is current with whatever AV solution is being run.

Also, please back down off your high horse and read Luc's last comment again. He knows more about hardware security than about 99.9% of the people on the planet - and has proven that he is will to help you - so you might demonstrate that you're actually willing to listen (read).

Nope, not childish at all.
Just hoping to open a discussion on what you're exactly affraid of.

I am starting to make sense of this all.  Thanks for tolerating my ignorance in this area (not being sarcastic).  I would still want to run a pen test on my client's server.  Sadly, the program you suggest is not an option due to cost.

stlbridge,

Most tests can be done easely.
For example patches can be checked on the WSUS console (in case WSUS is used) or as an alternative, you can check some systems for automatic updates and if they've been configured correctly. Or if an alternative logon script (KIX for example) is used, proof that it's being pushed to every workstation.

The same counts for antivirus solutions, if a company grade solution is used there will be a central console which can be checked for all updates.

In the end, of course a portscanner will be able to sort out if servers aren't listening on unusual ports (which might actually indicate an intrusion which has already taken place)

Sadly, the easy portscans will only show what is listening and maybe what's behind them. Not the security issues which might be on the applications operating on those ports.

LucF

Younghv

Thanks for the input.  I suppose I am slightly irritated due to the lack of responses that actually answer my question.  I do not mean to come across as an angry kid.  I am simply curious as to how I can establish my client's current status in relation to WAN security.  I clearly spell out what is going on with their network, but for whatever reason, I'm not geting an answer to what I had thought was mapped out rather nicely.  I want to learn more, but I'm obviosly not seeing this from the right angle, and I think that the mindset of security precaution needs to be viewed not only from we-the admin side, but also the "hacker's" perspective.  That's what I'm trying to get in tune with.  From what I understand, many of IT Security's greatest minds were at one time some of the greatest and most dangerous "hackers".

WIth that little rant said, where could an educated mind point me?  And when I ask that, I also mean, where can I be directed that will not only answer my questions, but also provide information that I haven't even asked for yet (that way I can quit bothering the experts here).

Now, I realize that I have a problem with coming across as a complete pr*ck, but I assure you that I mean no kind of sarcasim nor rudeness in this comment.  LOL, that should be my new signature.

It seems that I appear to be asking, "What's the trade secret to network security?"  I am very eager to learn and do appreciate the help I am getting, but at the same time, I do not care

Here's an easier question, that I think I should have asked.  If my client's server is backed against the internet with RDP enabled without any other security than windows logon, how long will it take?  Furthermore, how can I see the failed BF attempts that are made?  This would have been a better way for me to put this.  So it goes:

Remote Computer -> Connect to TS (also mail server) via Global IP -> Hits Firewall -> NAT Pushes 3389 to TS/Mail Server.  Windows Logon is displayed with the Administrator as the username predefined.  

Password is very strong, but how strong is "strong"?  It's the last line of defense, as far as I am concerned.  So, how can we keep this more secure without VPN due to VPN not being an option at all (don't ask).  

I will see you nerdy guys tomorrow.  Thanks for being paitent with a security novice!

stlbridge,

>> It seems that I appear to be asking, "What's the trade secret to network security?"  
I'm sorry to say this, but it's not something I can teach you. It's a thing you learn by doing it and making mistakes. If an auditor tells you things about which might cause an issue (now or in the future) listen to it and act on it.

Making mistakes is an option.
This might sound weird, but it really isn't. Every administrator, and probably you're not an exception on that, will learn to set up multiple layers of security (authentication, authorization, encryption, etc.) so if one appears to have a problem, no harm is done yet. The problem is fixed and the security was up-and-running even though an issue was found.

LucF

>> Remote Computer -> Connect to TS (also mail server) via Global IP -> Hits Firewall -> NAT Pushes 3389 to TS/Mail Server. Windows Logon is displayed with the Administrator as the username predefined.

There's a mistake, not a real security issue yet. You should setup the terminal server not to show any username on the login screen and change the administrator account to a different name so you don't give away 50% of the authentication which would lead to authorization.

An option on this one will also be to disallow the access for a couple of minutes after every failed logon attempt. (Tools are available to do this) which will highly limit the amount of passwords which can be tried in a certain timespan. A brute-force attack will have less to zero chance on getting the password before being spotted. Bad logon attempts can easely be checked through the event viewer.

However, keep in mind that what you mentioned an example, other issues may appear with other servers which may or may not be connected to the internet.

LucF

What is the best tool to monitor email and web usage?  Let's start there, and get this thread closed.

The best I've ever used was iPrism from StBernard software for web monitoring.
http://www.stbernard.com/

Email monitoring can get pretty complicated with the laws of various countries/states and we never used any in the U.S. Military.

MX Logic Email Archiving service.  Any thoughts?  It's very limited, it seems.

PowerIT's perfect pronouncement <<patching is primordial>>

You have a way with words!
btw - Nice qualifications in your profile.

Is it against policy to name this "well known white hat testing tool"?

And PowerIT, I do want to thank you for that.  I feel as though you've cleared much up for me.  It is most appreciated.

Stlbridge, yes it is against the policy of EE. In the past if have been slapped for this. I do not agree with security through obscurity, as the bad guys do have this knowledge. Sadly enough EE does not agree with me, we had our discussion in the past and I have up on that part rather then stopping to share information. Since I can not provide it here, this is one exception where you can mail me on my private email for the information. See my profile for my address.

Younghv, thanks for the kind words. But English is only my third language. You should hear me in Dutch or French :-p
Well, my French speaking colleagues would not agree but I find English a very 'expressive' language and it is my preferred one. Even above my mother tongue Dutch, although they are very close.

kr, J.

stlbridge,

The last man in the middle issue has been resolved with version 6.0 of RDP, this version includes additional verification on the server. And even that man in the middle attack was a hell to perform.

Regards,

LucF

p.s. If I may choose, Dutch is prefered ;o)

stlbridge,
I'll post this in English - since we all appear to be conversant.
Your method of closing this question is flat wrong.
You have been around EE long enough to understand the protocol for what to do when multiple Experts contribute to a conversation.

I don't have any expectations that you will now do the right thing, but that is your loss.

Stlbridge, don't be confused by this. Your customer environment is 2003 server. RDP 6.0 at the client side alone is not enough to resolve the MITM attack. The server has to be 2008 server for this.

kr, J.

I feel that I may have given the points inaccurately.  I would like to correct this, but I've never done that before.  Are there any suggestions?

Just click the "Request attention" link in the body of your question and the Moderators will assist you.

LucF

p.s. PowerIT, the initial question was not even about RDP so shouldn't be a point of discussion. I'll leave it to that.