Maintain Windows Internal Security

We often discuss and test security vulnerabilities from the perspective of hackers, but we all forget the same dangerous or even more destructive internal threats as hackers. Sometimes we recognize the existence of internal threats and ignore the "note that your data has been illegally used" prompt.

When performing an internal test, you must add the following ignored questions to the test list:

1. Shared permission test and directory permission test. If File Permission test is required, ensure that only authorized users can read, write, or use important information in the system. Not only the server but also the workstation must be tested. I often find unprotected sharing and directories on Windows workstations-usually accessible to anyone on the network.

Create a simple domain user and log in as the user to see what you can view and operate. You may be surprised. View the shared permissions and NTFS permissions of the group and users. Although this will be a very monotonous task, if you want the system to have no internal risks, you must do so.

The best way to do this is to use the appropriate tool. Figure 1 shows the DumpSec permission sharing function, and Figure 2 shows the sharing tool of the mongoard Network Security alliance. The above two tools are effective tools for tracking and reviewing specific permissions. Otherwise, you must manually track and review them.

Figure 1-DumpSec can detect insecure share permissions.

Figure 2-The sharing location of the logging ARD Network Security token can track shared permissions.

2. Carefully collect and search for your shares and directories to find important information without security protection. You can use the text Search function of Windows resource manager, but I prefer free or more reliable commercial software, such as Google Desktop Search or published tive File Search in 3. Enter some rule expressions or other texts that you think can locate important information. For example, "dob" indicates the birth date, and "ssn" indicates the Social Security Code to see what the search tool found. You may want to shorten the search time by limiting the types of Search files, such as DOC, PDF, TXT, RTF, and XLS. You will find important information that is scattered in the temporary directory, Windows desktop of the local workstation, and insecure under the directories of the file server. If you do not find any important insecure information, it may be because you cannot retrieve it thoroughly, so you can continue to use text search for search.

Figure 3-use the text search function to discover important information scattered in the network.

3. Connect the network analyzer to the backbone network to see what is leaving the network. This is another test, and it may find problems on your Windows network. You only need to connect the network analyzer to the mirror or span port of the switch (or to the local hub connected to the firewall) to see which protocols are used and who are the most talked about. I like to use EtherPeek SE, because it has a monitoring mode, you will not have the trouble to capture the information package, you can have a general idea. For better process information, you can have the network analyzer run for several hours or several days in a day. Either way, I firmly believe that you may find network pranks from employees you never imagined.

Figure 4 shows the suspicious protocol directory of EtherPeek. These protocols should not appear in the network. Hmm-encrypt POP3 email, SSH, and AOL real-time information from the same intern machine? You may want to know what will happen after such installation?

Figure 4-Network Analyzer Monitoring Mode shows network security vulnerabilities you have never noticed

One of the most likely problems is that, although not as likely as the problems mentioned above, they may still happen. This problem is caused by an internal threat who uses the vulnerabilities they have discovered to quickly scan for network attacks. Use some free simple tools to scan some hosts and discover some vulnerabilities, such as the Backup Exec Remote Agent authenticity vulnerability. If an attacker has any knowledge of his computer, he only needs to download and run Metasploit and obtain remote commands to access the entire system. It only takes three minutes for him to enter the network! In the latest tip, I have introduced how to use Metasploit to test security.

Some tests may take some time and effort, but we need to perform these tests to ensure that the system is away from internal threats. However, you do not need to perform tests every month or every quarter.