To better secure your network from the inside, add the following to your testing to-do list.
1. Test for share, directory, and (if needed) file permissions to ensure that only authorized users can read, write or do whatever to sensitive information on your systems. Do this for both servers and workstations.
To test this, create a new plain-vanilla domain user, login as that user and see what you can do. It will likely be an unpleasant surprise.
In addition, look at explicit share and NTFS permissions for groups and users. While this can be very tedious, it needs to be done to keep your systems locked down and prevent unauthorized internal abuse. The easiest way to do this with tools like DumpSec's share permission function (Figure 1) and LANguard's Share Finder tool (Figure 2). Both of these tools are great for tracking down and auditing specific permissions that would take a long time to do manually.
2. Dig deeper and search your shares and directories for sensitive information that's not properly secured. While the text search capabilities of Windows Explorer can be used, I prefer a faster and more robust freeware or commercial application like Google Desktop Search, FileLocator Pro, or Identity Finder, shown in the figure below.
These tools allow you to look for regular expressions and other sensitive information keywords like "DOB" for date of birth and "SSN" for social security number.. To cut down on scan times, consider narrowing your search to text-based files like DOC, PDF, TXT, RTF, XLS, etc.
Regardless of the method you use, you'll likely find unprotected sensitive information scattered throughout temp directories, the Windows desktop on local workstations and the various directories on file servers. If you don't find anything then you probably haven't looked deep enough. Keep experimenting with the test queries.
3. Connect a network analyzer to your network backbone and see what's leaving the network. This is another test that will likely uncover issues you didn't know existed on the Windows network. Simply connect a network analyzer to the switch's mirror or span port (or to a local hub that the perimeter firewall is connected to) and see which protocols are in use and who the top talkers are.
TamoSoft's NetResident is a great low-cost tool for this as is the full-blown network analyzer OmniPeek. OmniPeek's "monitor mode" provides an overview of what's going on and doesn't require you to go through the trouble of capturing actual packets.
Run the network analyzer for a few hours in the middle of the day -- or over a period of a few days -- to get a good cross section of traffic patterns. Either way, you'll probably find traffic conversations and employee shenanigans that you didn't know were taking place, like the suspect FTP traffic in Figure 4.
One final issue to consider is a rogue insider exploiting a flaw they discovered by running a quick vulnerability scan of the network. This is less likely to occur than the misdeeds mentioned above, however it can still happen.
Several free and easy to use tools, including LANguard and NeXpose Community Edition, would allow a contractor or employee to scan a few hosts and come across a weakness like the Backup Exec Remote Agent Authentication Vulnerability, the Microsoft Plug and Play vulnerability or any other flaws related to missing patches. This insider could then download Metasploit as well as any additional exploit code, and run it to gain a remote command prompt with full access to the system. It only takes a few minutes before "Boom!" – they're in.
Therefore, it's important to run a vulnerability scanner like those mentioned above (or QualysGuard to ensure you stay a step ahead of the bad guys.
While there are many more security tests that can be performed on a Windows network, the tests mentioned here are some of the biggies that shouldn't be overlooked. You don't necessarily need to perform all of these tests each month or every quarter, but at least make them part of an annual internal vulnerability assessment program.
|ABOUT THE AUTHOR:|
|Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.|
This was first published in January 2010