mScriptBox
How To Protect Your Network - Part I

Copyright ©200-2005 by Merlin - All rights reserved

Table Of Content

  1. Part I - Internal Security For A Network
  2. Part II - External Security For A Network
  3. Part III - Protect A Network Against Viruses

Part I - Internal Security For A Network  Back to Top

In this documentation you review the basic methods of internally securing a network, and use some of these methods to implement and troubleshoot internal security for a network.

   Part I is divided into three sections:

  1. The Steps for Developing an Effective Security Policy
  2. The Basic Methods for Internally Securing a Network
  3. Restrict Administrative Access to the Network


Introduction  Back to Top

Keeping your network resources and data safe from threats such as intruders and human error is a critical administrative task. These threats can come from internal or external sources. The security methods you implement should be based on the source of the threat. For example, an effective method for providing external security is to implement a firewall; an effective method for providing internal security is to verify rights for objects in a Directory. In this section, you learn about some basic methods for internally securing your network, how you can restrict access to prevent loss of resources and data, and how to troubleshoot basic internal security problems.


1. The Steps for Developing an Effective Security Policy  Back to Top

To establish a secure infrastructure for your network, you need to provide the following components: a security policy, user authentication, encryption, access control, audit, and administration. Of all these, developing an effective security policy is the most critical component. The security policy is a document (or set of documents) that describes the security controls to be implemented in your company, and provides a foundation for establishing a secure environment. In Mark Edmead's article on security policies , he recommends the following as the basic steps for developing a security policy:
  1. Classify your systems. Inventory of all of your systems, and determine how they are being used in your organization.
  2. Determine your organization's security priorities. Determine the security priorities for each system. For example, if you have a Web server, the security priority might be to limit access to only HTTP connections.
  3. Assign risk factors. Knowing you need a security policy is one thing, but you (and your employees) need to understand what the risks are if the policy is not followed. For example, if the antivirus policy is not followed, the risk could be to disable corporate email.
  4. Define acceptable activities. This part of the policy addresses not only what activities are acceptable but also what activities are not acceptable.
    For example, an acceptable activity is to make sure antivirus software is installed on the workstations. An unacceptable activity is to open attachments from unknown sources.
  5. Provide security awareness training. Writing policies is important, but you also need to train employees on the policies. The training should include what the policies are, where they are located, and why following the policies is important.
  6. Determine the administrator of the policy. One of the tasks of a policy administrator is to update and revise the policy. But more importantly, someone needs to enforce the policy. Like highway speeding laws without a highway patrol, without adequate enforcement, you might as well not have a security policy.
The Computer Emergency Response Team/Coordination Center (CERT/CC) at Carnegie-Mellon University (CMU) estimates that 80% or more of the internal security problems they review have to do with poorly chosen passwords. By developing an effective security policy that addresses issues such as passwords, training employees on the security procedures, and then effectively enforcing the policy, you can eliminate a majority of your internal security problems.

 For a guide to developing a security policy, see the Site Security Handbook at http://security.isu.edu/isl/rfc1244.html.
To access a template for building a security policy, see the SANS Security Policy Project.


2. The Basic Methods for Internally Securing a Network   Back to Top

Although the security risks to your network from external sources (such as email viruses) are highly publicized, the majority of security risks faced by network administrators come from internal sources.

Many of these internal security problems happen because of ineffective security policies, mismanaged access rights, and employees who do not follow security procedures.
Other internal security problems happen because of unauthorized individuals (such as employees and contractors) who have the means, motive, and opportunity to cause significant damage to your network resources and data.

Although you cannot control the means and motives of these individuals, you can significantly reduce or eliminate the opportunities for them to cause damage by implementing the following:

  • Physically Secure Servers
  • Secure the Server Console
  • Protect Severs and Workstations Against Viruses
  • Secure the Server File System
  • Restrict Network Access Through eDirectory User Objects
I. Physically Secure Servers
The first place to start when securing your network is to protect your server from unauthorized access. If an unauthorized person has access to a server, he or she can load files from a diskette, switch the server into debug mode, remove restrictions from the server, shutdown the server, or even remove the server's hard drive. You can limit physical access to servers using one or more of the following methods:
  • Lock the server in the room and only allow access to authorized individuals.
  • Remove input devices (such as the keyboard and mouse) so that unauthorized individuals are not able to enter server commands or use configuration utilities.
  • Remove output devices such as monitors

II. Secure the Server Console

In addition to physically securing the server, you can improve security by doing the following to prevent the use of the server console:

  • Use the screensaver.
    The screensaver provides protection because it requires a password to unlock it.
  • Logout when you are not at the servers console
    Never leave the server unattended! Make sure you always log out, even if you leave the console only for a minute.

    III. Protect Servers and Workstations Against Viruses
    To protect your network from the spread of viruses introduced by internal (and external) intruders, do the following:

    1. Install virus scanning software.
      Install virus scanning software on each workstation.
      Create an emergency boot diskette when you install the software, and write-protect the diskette before you use it. (This prevents files on the diskette from becoming infected.)
      You can use the emergency boot diskette to start the computer if your virus software is infected or to make sure your computer is clean before you install other software.

      NOTE: Two popular virus scanning software packages are McAfee Virus Scan and Norton AntiVirus.

    2. Configure the virus scanning software to meet your security requirements.
      To make sure that your virus scanning software is highly-effective in combatting virus attacks, make sure you configure the software to do the following:
      • Scan both incoming and outgoing files at the server.
      • Scan all types of files (including EXE, DLL, and ZIP files).
      • Scan all incoming and outgoing email and attachments.
      • Immediately send virus notifications to the network administrator and the user.
      • Prevent users from canceling the virus check or virus repair.

    3. Enable virus expiration warnings.
      Enable the virus expiration warning to alert you when signature files are outdated.
      Each virus has a specific pattern it leaves when it infects a file. The information in a signature file is used by the virus scanning software to determine the type of virus that has infected the computer and its files.
      With viruses being created almost daily, you need the latest signature files to protect against new viruses. These files are freely provided by the antivirus software vendor.
      Make sure you update your emergency boot diskette when new signature files are received.

    4. Quarantine files.
      Use a software package that allows files to be quarantained. This prevents users from accessing infected files and spreading a virus.

    5. Filter junk mail.
      Configure your email servers to filter and eliminate unsolicited junk email that could contain a virus or malicious code.

    6. Include virus protection procedures in your security policy.
      Make sure that your security policy include items such as discouraging employees from downloading non-work-related email attachments, and encouraging them to install antivirus software on their home computers.

    IV. Secure the Server File System

    The following are some basic guidelines for securing the server file system:

    1. Disable unused services.
      Services like FTP, Telnet etc can be a security risk or limit the number of users allowed to use them. If available setup and configure Secure Shell (SSH) for access.

    2. Limit file and directory rights.
      Assign users the fewest rights possible to access files and folders. Don't give users rights to the root directory of any drive because the rights flow down and are inherited.

    3. Assign file attributes.
      You can assign file attributes to override granted or inherited rights. Unlike trustee rights that apply only to assigned users, file attributes apply to all users accessing that file.

    4. Use trustee assignments.
      A trustee is an object that has been placed on the access control list (ACL) of a directory or file. You must be defined as a trustee before access rights to a directory or file can be granted to you.
      File system security is easier to implement and manage when you grant trustee assignments to eDirectory objects, such as group and container objects, that pass their rights to multiple users.
      If users have more rights than they need, check their trustee assignments and make changes.

    5. Use a folder other than the system drive for home directories.
      Organize your file system so that user's home directories are on a drive and/or partition other than your operation system (OS).
      The OS (Operating System) drive/partition should be reserved for the OS system files. By creating home directories on the OS drive/partition, you allow users to store files that might contain viruses that can corrupt or cause damage to critical system files.

    6. Test file system security.
      The easiest way to test file system security is to log in as a user with default rights and browse the network.
      You can check for possible security risks by answering the following:

      1. Can you see system folders like SYS:SYSTEM or SYS:ETC (Novell Netware) or C:\Windows, C:\Winnt (Microsoft)?
      2. Can you see the directories from which administrative utilities such as NetWare Administrator/ConsoleOne (Novell Netware) or Regedit/Regedt32 (Microsoft) are run?
      3. Can you browse the entire eDirectory (Novell Netware) or Active Directory (Microsoft) tree?

      When a user can see more than what has been described above, check the rights for that user. The user has probably been assigned more rights than the default rights

  • 3. Restrict Administrative Access to the Network  Back to Top

    Securing eDirectory user objects is critical to maintaining internal security to your network. You can restrict network access through user objects by doing the following:
    1. Follow Login Security Guidelines
    2. Effectively Assign Rights to Users
    3. Set Password Properties for User Objects
    4. Configure Intruder Lockout Options

    I. Follow Login Security Guidelines
    Use the following guidelines to help implement login security:

    1. Disable unused user accounts.
        Disable user accounts that have not been used for several months.

        Before you disable an account, verify that the account is no longer needed. Sometimes a remote user might not connect to a network for an extended period of time.

    2. Assign an expiration date for temporary employees.
        For temporary employees, use the expiration date property to restrict their access to the contracted time limit.

    3. Restrict logins based on time.
        For example, you might want to limit employee access to the hours of 9:00 am to 7:00 pm.

        Make sure you check with managers to account for exceptions such as employees working overtime.

    4. Limit the number of user connections.
        Set connection limits for users to restrict the number of computers they can log in from. Two connections are usually sufficient for most users (other than network administrators).
    5. Limit rights for specifying login restrictions.
        This is useful when granting a subset of rights to a Help desk or junior administrator for specifying login restrictions. Some of those rights (if available on your operating system) are listed below:
        • Account disabled
        • Account has expiration date
        • Expiration date and time
        • Limit concurrent connections
        • Maximum connections
        • Last Login
    II. Effectively Assign Rights to Users

    When you create a user, the user object is assigned a default set of rights that enable the user to access required network resources.

    Security problems occur when the default rights are excessive, or when you start assigning specific rights to a user without understanding the implications.

    The following guidelines can help you establish a secure internal network through the effective assignment of user rights:

    • Start with the default assignments.
        The default assignments are sufficient for most users on most networks.

    • Avoid assigning rights through the All Properties option.
        The Object Trustees Access Control List (ACL) property is the main reason for not granting additional rights with the All Properties option.

        Assigning property rights through the All Properties option might seem easier but you might assign property rights to other users in the ACL that do not need those rights.

        Be especially careful when assigning the Write right to the Access Control List (ACL) property. This right enables a user to configure additional rights to the object. The user can then assign other rights to an object.

    • Use Selected Properties to assign property rights.
        By using Selected Properties, you can control what rights users are assigned, and assign only those rights that are absolutely necessary.

    III. Set Password Properties for User Objects

    User passwords are especially important to your internal security plans. Novell has provided a simple method for implementing passwords in a consistent manner through the use of a user template, which you can use to create user objects.

    This is especially helpful if you are creating many users who need the same property values, and require specific password properties.

    The following are password properties you can set when creating a user object or template:

    • Allow user to change password.
        Allow users to change their login password.
    • Require a Password.
        Specify that the user should enter a password to access the network.
    • Minimum password length.
        Set a minimum password length; many organizations require at least 8 characters. (Passwords can be from 1 to 128 characters.)
    • Force periodic password changes.
        Require users to change their password regularly.
    • Days between forced changes.
        Specify a fairly frequent interval between password changes, such as 30 days (you can specify up to 365 days). The value is stored in seconds, not days. (86,400 seconds equals 24 hours.)
    • Date password expires.
        Assign a date and time on which a user's current login password will expire. Many administrators use this setting (instead of "Days between forced changes") for temporary or contract employees with a specific termination date.
    • Require unique passwords.
        Require the use of unique passwords, rather than allowing the user to reuse an old password. NetWare keeps a record of the last 8 passwords for a user and prevents the user from reusing any of those passwords.
    • Grace logins allowed.
        Set this option to allow a user to log in set number of times with an expired password. Consider setting this number to only a few times; many organizations limit grace logins to 3. You can enter a value between 1 and 200.
    • Remaining grace logins allowed.
        This number reflects the remaining, unused grace logins, and is updated by eDirectory. If you want to increase the number of grace logins still available for a user, increase this number. For example, if the number of remaining grace logins is "0" and a user needs one more to access his or her account to change the password, replace the "0" with "1."
    • Change password.
        Use this option to change a user's password or set one if the user does not have one. The changes are immediate and cannot be undone. You can use this option when a user has forgotten his or her password and needs to enter a new one. Enter a new password, then securely inform the user of the new password.
    IV. Configure Intruder Lockout Options

    In addition to setting password properties, you can provide additional login security by implementing intruder lockout options.

    Intruder lockout prevents an individual from trying to log in to a user account after a set number of attempts, and is a primary defense against password hackers.

    On Novell NetWare the default number of incorrect login attempts allowed is 7. However, if you have experienced previous hacking attempts, or your enterprise requires tight security, consider setting this value to 3.

    When someone attempts to log in to an account and the attempts exceed the intruder detection limit, NetWare logs the event and the server beeps and displays a time-stamped message showing the account that is locked and the Media Access Control (MAC) address of the node.