| Navigational map -- for text only please go to the bottom of the page ||Back Issues|


August 30, 1999 (Vol. 21, Issue 35)

SECURITY WATCH


BY STUART McCLURE & JOEL SCAMBRAY
Personal burglar alarms can ease your
mind when taking NT into hostile environs

Probably the scariest sensation in computing occurs when you realize that someone is trying to break in to your PC via a network. Fortunately, most of us won't experience this sensation any time soon; unfortunately, this is because there are darn few mechanisms built in to the typical PC to detect these activities.

This is particularly troublesome for mobile users, who frequently plug in to a variety of foreign networks. Most of us assume that these networks are owned and operated by upstanding corporate entities and that no one on such networks would dare attempt something as outrageous as breaking in to a personal system. This is, of course, a foolish assumption. The line between the large and unruly Internet and large and unruly corporate intranets is blurring every day. We've even seen trusting souls who join their laptop Windows NT Workstations to NT Server domains at customer sites; they sometimes receive unwanted attentions from rogue members of the Domain Admins group. (Don't forget, the act of joining your NT system to a domain automatically grants membership in the local Administrators group to members of Domain Admins.)

But you've got to plug in to get any useful work done. How do users make sure they aren't giving up the farm as well? We'll share with you some tips and tricks we've learned over the years while toting NT laptops around to various corporate sites. (And we apologize in advance to Linux and Windows 9x users, who won't find much help here.)

First of all, don't join any NT domains! There really should be no reason to do so; you can access all domain resources by manually entering the proper log-in credentials into the necessary applications. One catch-22 comes when a domain account expires. Typically, you would have to join the domain to change the password. With the neat little utility passwd by Alexander Frink, you can reset domain passwords from a command line -- without having to join the domain. (See wwwthep.physik.uni-mainz.de/~frink/nt.html.)

NT supplies a couple of rudimentary tools to monitor possible intrusions. Two of the best are netstat and nbtstat. The netstat -an command lists listening ports and established connections by numeric IP address and can show undesirables among these. The nbtstat -S command dumps the NetBIOS connection table, indicating any unwanted sessions.

Unfortunately, there is no instantly gratifying mechanism for kicking these undesirables off your system, unless you explore third-party options (see below). However, there are a couple of ways to deter such attentions. Setting the following registry value removes the host from network browse lists, while still providing full networking capabilities to and from the system: HKLM\SYSTEM\CurrenControlSet\Services\LanManServer\Parameters\Hidden, REG_DWORD = 1. The ultimate step is to disable the "Access this computer from the network" right for all users; this will stop remote NetBIOS attackers cold. You will find a good general reference for Windows NT security settings at www.microsoft.com/security/products/iis/CheckList.asp.

Of course, to really combat nefarious NetBIOS ne'er-do-wells, we recommend checking out some great third-party tools. One of our favorites is NetWatcher Pro 2.2, freeware by L.A. van der Hoogt. NetWatcher Pro monitors NetBIOS connections and let you launch manual as well as preconfigured "kicks," which disconnect anyone specified. Some other helpful features of NetWatcher include the capability to generate log files of previous connections and the capability to sound custom alarms when new connections crop up. Another helpful NetBIOS connection monitor is Desktop Sentry from NT Objectives (http://www.ntobjectives.com/). This one lacks some of the fun features of NetWatcher and doesn't automatically alert you to new connections, but it gets the job done.

A more general tool is BlackICE from Network ICE, at http://www.netice.com/. BlackICE monitors for outdated denial-of-service attacks of yesteryear, standard scans, and Back Orifice (BO) and Netbus but doesn't provide NetBIOS connection monitoring, as NetWatcher does. Furthermore, BlackICE costs $39.95 for the personal version, compared with NetWatcher's freeware status.

Those of you who are paranoid about BO infection should check out BackOfficer Friendly (BOF), a cool little utility distributed by Network Flight Recorder (http://www.nfr.net/). BOF sets up a fake BO9x server listening on the default User Datagram Protocol port of 31337 and logs BO attack attempts, sending amusing replies to the attacker in many instances. Although NT is immune to BO9x and BOF does not yet support BO2K, which can infect NT, we regularly run it on our NT systems just to catch the occasional BO Peep. A bonus with BackOfficer Friendly is the fake FTP and Telnet daemons -- you can have minutes of fun watching someone trying to connect to your NT box via a fake Telnet.

How do you watch your back in hostile environments? Send additional tips and tricks to security_watch@infoworld.com.

Stuart McClure is a senior manager and Joel Scambray is a manager at Ernst & Young's eSecurity Solutions group. They have managed information security in academic, corporate, and government environments for the past ten years.

Copyright (c) 1999 InfoWorld Media Group Inc.

Please direct your comments to InfoWorld Electric.

| SiteMap |Search | PageOne | Conferences | Reader/Ad Services |
| Enterprise Careers | Opinions | Test Center | Features |
| Forums | Interviews | InfoWorld Print | InfoQuote |