Problem solve Get help with specific problems with your technologies, process and projects.

Tests for securing the internal Windows network

While hardening your network against hackers is important, it's also critical to look out for internal threats. Protect your environment from the inside with these security tests.

By Kevin Beaver, Contributor

There's a lot of talk about testing for network security vulnerabilities from a hacker's perspective, but it's important to remember that rogue insiders can do as much -- if not more -- damage to your network.

To better secure your network from the inside, add the following to your testing to-do list.

1. Test for share, directory, and (if needed) file permissions to ensure that only authorized users can read, write or do whatever to sensitive information on your systems. Do this for both servers and workstations.

More network security advice

Balancing security with reasonable password policies

Understanding NAP's internal and external components
I come across a lot of open shares and unprotected directories on Windows workstations that anyone and everyone on the network has free reign over.

To test this, create a new plain-vanilla domain user, login as that user and see what you can do. It will likely be an unpleasant surprise.

In addition, look at explicit share and NTFS permissions for groups and users. While this can be very tedious, it needs to be done to keep your systems locked down and prevent unauthorized internal abuse. The easiest way to do this with tools like DumpSec's share permission function (Figure 1) and LANguard's Share Finder tool (Figure 2). Both of these tools are great for tracking down and auditing specific permissions that would take a long time to do manually.

Figure 1 (click to enlarge)

Figure 2 (click to enlarge)

2. Dig deeper and search your shares and directories for sensitive information that's not properly secured. While the text search capabilities of Windows Explorer can be used, I prefer a faster and more robust freeware or commercial application like Google Desktop Search, FileLocator Pro, or Identity Finder, shown in the figure below.

Figure 3 (click to enlarge).

These tools allow you to look for regular expressions and other sensitive information keywords like "DOB" for date of birth and "SSN" for social security number.. To cut down on scan times, consider narrowing your search to text-based files like DOC, PDF, TXT, RTF, XLS, etc.

Regardless of the method you use, you'll likely find unprotected sensitive information scattered throughout temp directories, the Windows desktop on local workstations and the various directories on file servers. If you don't find anything then you probably haven't looked deep enough. Keep experimenting with the test queries.

3. Connect a network analyzer to your network backbone and see what's leaving the network. This is another test that will likely uncover issues you didn't know existed on the Windows network. Simply connect a network analyzer to the switch's mirror or span port (or to a local hub that the perimeter firewall is connected to) and see which protocols are in use and who the top talkers are.

TamoSoft's NetResident is a great low-cost tool for this as is the full-blown network analyzer OmniPeek. OmniPeek's "monitor mode" provides an overview of what's going on and doesn't require you to go through the trouble of capturing actual packets.

Run the network analyzer for a few hours in the middle of the day -- or over a period of a few days -- to get a good cross section of traffic patterns. Either way, you'll probably find traffic conversations and employee shenanigans that you didn't know were taking place, like the suspect FTP traffic in Figure 4.

Figure 4 (click to enlarge)

One final issue to consider is a rogue insider exploiting a flaw they discovered by running a quick vulnerability scan of the network. This is less likely to occur than the misdeeds mentioned above, however it can still happen.

Several free and easy to use tools, including LANguard and NeXpose Community Edition, would allow a contractor or employee to scan a few hosts and come across a weakness like the Backup Exec Remote Agent Authentication Vulnerability, the Microsoft Plug and Play vulnerability or any other flaws related to missing patches. This insider could then download Metasploit as well as any additional exploit code, and run it to gain a remote command prompt with full access to the system. It only takes a few minutes before "Boom!" – they're in.

Therefore, it's important to run a vulnerability scanner like those mentioned above (or QualysGuard to ensure you stay a step ahead of the bad guys.

While there are many more security tests that can be performed on a Windows network, the tests mentioned here are some of the biggies that shouldn't be overlooked. You don't necessarily need to perform all of these tests each month or every quarter, but at least make them part of an annual internal vulnerability assessment program.

Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.