July 10th, 2003, 11:28 PM
New to NS, need a bit of guidance.
I work for a company where I handle general information technology problems. I kind of play a jack of all trades role. Recently our web server was hacked. We were and will be continuing to run Windows server 2000. Though I don't like Windows server 2000, I have no choice currently. Basically, I need to be able to keep our site secure, and I really am not sure where to begin. I know a lot about computers but really have never learned much about network security. I'm sure I should have read some posts before I made my own, and I'm sure there are tons of links to tutorials and articles and all kinds of stuff, but I just wanted to get a post out there and hopefully get some real feed back.
July 11th, 2003, 12:18 AM
does your sever have the current service pack? What kind of website are you running...asp, just plain html??
some details of the hack might be useful
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
July 11th, 2003, 12:59 AM
I was not really in charge of the server when this happened so I don't know all the details. According to my boss, we did not have the latest security updates because installing them kept crashing the server (thank you Microsoft) and the website I'm not completely sure about; it runs some html pages I know as well as some pages which allow users to securely view financial data. These pages I have no idea what they are.
July 11th, 2003, 01:26 AM
Although I am a new member to this site or any other on-line group like this, I have been working as a network security consultant for 5 years now. I find that the simplest tools to help keep a windows based network secure are often over looked. Much of the time, I find that the wwwroot dir. is left as an open share on a NT web server often with only a simple Admin username and no password. By using the computer management tool found in control panel you can remove all the unwanted shared drives and the default shares such as C$, Admin$, and any other drives you might have shared. The next most common mistake is allowing for NT Null Session Admin Name Vulnerability to exist. An attacker can learn the name of the user and admin accounts on that system by exploiting this vulnerability, this allows for an intruder to attempt username and password combination for the system once he or she obtains the username. In the worst case, when a user or admin account has no password the intruder can gain access by simply only knowing the username therefore allowing the intruder to make shares and other system resources available to them.
To secure your web server from these simple yet common problems I would start off by using the management tool and getting ride of all un wanted User accounts, shared drives, or directories. Next while you are looking at the shares on the server, look for the IPC$ share, if in fact it is shared then simply By setting a registry properly, anonymous connections are restricted. The registry setting for this is as follows:
system\CurrentControlSet\Control\Lsa Name: Restrict Anonymous Type: REG_DWORD value: 1
this will keep all information restricted for the anonymous connection, however it will not keep a user from making a null connection to IPC$. Without the anonymous connection however, the IPC$ is useless.
Other than that, keeping your system updated is the only other thing I can tell you without knowing more about your system. I can say that by learning about other various vulnerabilities common to windows, and more importantly NT servers, will help you a great deal in keeping your own system secure. Only by knowing how to destroy can you learn to protect, at least that's how I learned. I hope this was of some help to you, feel free to post your URL if you would like me to help you with any other problems you may have.
"Peace, Love, and BOOTY Grease"
July 11th, 2003, 10:12 AM
You will want to do the following:
Securely reinstall the machine and carefully restore backups to avoid restoring any executables which might be infected with a backdoor. All executable should be re-obtained from original readonly media or somewhere else you trust. You should do this after any suspected successful attack.
After this however, on the new system,
- Obviously put the latest patches on, or service packs
- If these are not compatible with some other programs, complain to the vendor (in case of in-house, complain to the development team)
- Run the IIS lockdown tool from Microsoft and disable everything you don't need (particularly script maps you don't use, these have been the source of 90% of IIS vulnerabilities)
- *maybe* consider running URLScan. It is quite a good tool, however it is very easy to break your own system with it
- If you're running any server-side applications, do a source code audit of those for common attacks (XSS and SQL injection mainly). If you don't have the source code of them, complain to vendor again.