March 25th, 2004, 05:13 AM
What can I do to stop
I've got a Microsoft Infastructure class this semester and need some help with security. We have established a domain of about 25 computers with a variaty of OS(XP pro,2000 pro,NT workstation,NT 4.0,2000 server,2000 advanced and a fedora server and a couple of Fedora workstations) Each person in the class has a diffrent OS and we have learned how to get them to all work together. But now that we have most of the bugs worked out the instructer has a new twist, One member of my class we have no idea who, has been instructed to hack us at will and do as much damage as he can. I am running a 2000 advanced server as a Domain controller with WINS and DNS on it. Last week he pretty much had his way with a couple of peoples machines and I don't want to be next, can anyone give me any ideas? Please remember I'm still new at this. I'm smart enough to know that I know nothing.
March 25th, 2004, 05:32 AM
Search google and this site for security related terms... that's where you should start... Though I may be inclined to help you since minus the WINS server, that's exactly what my desktop machine is running... don't ask why.
Can you d/l and install stuff, or are you stuck with configuring what you have? I'd assume you can get updates, get all them of course.
If you can, d/l like zone alarm first, then research. Wait for a few more posts, there's alot o' experienced people on here. They'll hook you up with all sorts of stuff.
Do you have to keep all your services operational? if not you can shut off some of them. Though not all since you've made the leap to domain controller already. If someone knows how to shut all that **** off after actually becoming domain controller you'd be helping me as well as him
A funny thought just crossed my mind... depending on how mutch he already knows about your network, like your IP address and such (like that can't be changed anyways, screw network policy, DHCP is even better), I, Myself would play with a honeypot. Just to keep him busy for a while. I'd assume he won't spend all his free time trying to hack your box. though you never know. If you could work a honeypot, you could log what he's doing, hopefully buying you at least one class period to send us the logs .. HAHA that would be great.
Though you said you know nothing, I'll see what you have to say on the subject. Wait for a dozen or so more replies to get the whole think tank on board if their interested. You'll need to keep me interested too. See if you can do something about finding the identity of the dude and feeding us some profile info. it may come to something, who knows.
Good luck, hope your next reply isn't -- I've been haxored!!! ---
March 25th, 2004, 09:07 AM
A few more questions to add to those from UpperCell :
1. Do you know how the other two machines were attacked
2. Will he/she have physical access to your machine (when I build a "secure box" I always use removable hard drives, lock the CD and floppy to normal users, boot from HDD first etc).
3. Which OSes were attacked first?
4. I would suggest some security tools, but I am not sure if you are allowed to load them. I guess the EULA is OK as you are using them "privately", albeit in an educational environment? As UpperCell has already pointed out it is important to us to know if you can do this, and any other rules of engagement
March 25th, 2004, 10:57 AM
Hrmm.. Sounds like a wargame!
I noticed the lack of mention of a firewall and/or an IDS. Are you not allowed to install these? You might want to look at the NSA's Security Guides to see if they may help you lock down your servers better. And perhaps check the tutorials I wrote on Wargames as they may give you a better idea as to how the attacker got in. I suspect that there is no physical access immediately but rather remote access.
Lastly, the most common way that I get into my students machines is due to really poor password policy (e.g., "password", "root", "course#", their email password -- which they access over the clear). You might want to ensure you put in some strong password policies on important machines in particular.
March 25th, 2004, 11:58 AM
The first two machines he got were another 2000 advanced server and one of the 98 machine. I think he's just picking at random. The only access he is allowed is remote only so that helps. I can download anything but a firewall and all my updates are downloaded so there I'm okay. I have GFI LANguard Network Security Scanner downloaded and I'm going to use it tonight to try and find all the holes in the network. But I really want to beat this guy since the instructer is so sure we will all fail. Thanks for your help.
March 25th, 2004, 12:31 PM
March 25th, 2004, 01:31 PM
Actually, you know who you should talk with: Pooh Tzu Sun. He has a Windows box locked down without Firewall or AV. And I've checked it. It's an impressive setup. Send him a quick note on some advice on how to lock your boxes down to prevent remote access but still allowing necessary services. His setup was quite impressive.
I can download anything but a firewall and all my updates are downloaded so there I'm okay.
Oh yes, if you are required a webserver toss IIS.
March 25th, 2004, 01:48 PM
The real prize would be the domain server and since you are using 98 machines and possibly samba the DC must answer LM authentication requests, if your 'attacker' is on the LAN with you he may as well go for the DC by sniffing LM hashes and then he will 0wn j00 all. But seriously just some initial precautions I would take would be to tighten your file permissions, disallow anon NB stuff(do you have to have it?), enable auditing,check your local sec policy,remove all un-needed/required services,if you run IIS run IIS lockdown and remove all your extensions, remove SYSTEM execute privileges on commonly exploited binaries (cmd.exe,tftp,etc), change your admin account,enforce strong password policy, then run some tools like baseline security and nessus against yourself (Perhaps a trial/edu version of E-eye Retina?) and see what turns up, then rinse...repeat....
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
March 25th, 2004, 01:57 PM
Check the web logs on the other machines and then go hook the guy in the face.
That should deter him from fuxoring your box.
March 25th, 2004, 02:07 PM
why would a firewall be against the rules? Please forgive my ignorance but i have never been in a classsroom type waregame.