Tight budgets and strict regulations often translate to uneasy times for those responsible for managing Windows...
Server environments. It seems there is more pressure to perform security assessments of corporate networks, leaving many administrators and IT managers wondering what to do.
The choice is often between doing it in-house with various Windows security tools or hiring an outside company. In many situations, there is no budget set aside for this testing. There's often no wrong answer to which way to go; however, certain regulations require that independent third parties are used to perform the work.
Having worked as an independent consultant for more than a decade -- often consulting with businesses in these specific situations -- I have found a reasonable compromise that shows due care is taking place, and reasonable security evaluations are ongoing and consistent. The first step in any good information security program is to acknowledge any weaknesses. There are many great open source and free tools, combined with low-cost commercial alternatives, available to perform reasonable security vulnerability assessments to help point out and correct issues.
The following list of Linux and Windows security tools can help ferret out weaknesses on servers and related network systems.
Kali Linux is a live Linux DVD and virtual machine that offers vulnerability scanning, penetration testing and forensics tools to uncover niche vulnerabilities and research network events. This is a free, open-source utility. Some commercial alternatives include GFI LanGuard and Nexpose Community Edition.
NetScantools Basic is a toolkit with various rudimentary network and security-related functions. The Pro version seeks vulnerabilities from open ports, to DNS weaknesses, to email security issues and just about everything in between.
TamoSoft Essential NetTools
TamoSoft Essential NetTools is a toolkit similar to NetScanTools Pro that checks for issues with network configuration and security. It is available free of charge.
Wireshark is a free, open-source network analyzer that captures packets to and from Windows servers. CommView and CommView for WiFi are commercial, yet low cost, network analyzers that do just as much on wired and wireless networks, often in a simpler manner.
Burp Proxy is a low-cost tool for evaluating IIS-based website and Web application vulnerabilities.
Microsoft Baseline Security Analyzer
The Microsoft Baseline Security Analyzer is a free tool that is installed on Windows servers to seek out weak passwords, missing patches and other security misconfigurations.
Metasploit Framework is a free, open-source security tool that exploits specific vulnerabilities found on Windows systems to determine the severity of the vulnerability, such as obtaining a remote command prompt on a system without having to login.
Building your case
If you test your own systems, then follow widely accepted standards such as the National Institute of Standards and Technology Special Publication 800-115, the Payment Card Industry Penetration Testing Guidelines and the Open Source Security Testing Methodology Manual (OSSTMM) for security testing.
Using these guides will demonstrate to management, auditors and regulators that best industry practices have been followed using well-known Windows security tools and solid methodologies. If you're not comfortable performing this work, then you can learn more about it through various books on performing security assessments, or you can hire someone to do the work for you.
Set up a schedule
Whether or not there is a budget allotted for testing should not be a factor in performing this work. These types of security assessments are often required by law or they may be needed to fulfill contracts or specific business partner or client demands. The important thing is to get started on this work and do it periodically and consistently year after year, such as once per quarter or every six months. One of the biggest mistakes people make is running some basic vulnerability scans and not digging in deeply enough. This can lead to the belief that everything is in check, because nothing serious was uncovered during the initial assessment.
Administrators must be proactive when it comes to security. Efforts must be taken to build improved penetration testing methods to close any gaps. The potential intruders are working to improve their skills, and Windows administrators must do the same, lest your data center become yet another victim.
Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic LLC.