Chapter 21

Securing Your Network

In This Chapter

Assessing the risk for security

Determining your basic security philosophy

Physically securing your network equipment

User account security

Other network security techniques

Making sure your users are secure

Before you had a network, computer security was easy. You simply locked your door when you left work for the day. You could rest easy, secure in the knowledge that the bad guys would have to break down the door to get to your computer.

The network changes all that. Now, anyone with access to any computer on the network can break into the network and steal your files. Not only do you have to lock your door, but you have to make sure that other people lock their doors, too.

Fortunately, network operating systems (NOSes) have built-in provisions for network security, deterring someone from stealing your files even if he does break down the door. All modern NOSEs have security features that are more than adequate for all but the most paranoid users.

When I say more than adequate, I mean it. Most networks have security features that would make even Maxwell Smart happy. Using all these security features is kind of like Smart insisting that the Chief lower the “Cone of Silence” (which worked so well that Max and the Chief couldn’t hear each other!). Don’t make your system so secure that even the good guys can’t get their work done.

If any computer on your network is connected to the Internet, you must harden your network against intrusion via the Internet. For more information, see Chapter 23. Also, if your network supports wireless devices, you have wireless security issues. For information about security for wireless networks, see Chapter 9.

Do You Need Security?

Most small networks are in small businesses or departments where everyone knows and trusts everyone else. Folks don’t lock up their desks when they take a coffee break, and although everyone knows where the petty cash box is, money never disappears.

Network security isn’t necessary in an idyllic setting like this one, is it? You bet it is. Here’s why any network should be set up with at least some concern for security:

Even in the friendliest office environment, some information is and should be confidential. If this information is stored on the network, you want to store it in a directory that’s available only to authorized users.

Not all security breaches are malicious. A network user may be routinely scanning through files and come across a filename that isn’t familiar. The user may then call up the file, only to discover that it contains confidential personnel information, juicy office gossip, or your résumé. Curiosity, rather than malice, is often the source of security breaches.

Sure, everyone at the office is trustworthy now. However, what if someone becomes disgruntled, a screw pops loose, and he decides to trash the network files before jumping out the window? What if someone decides to print a few $1,000 checks before packing off to Tahiti?

Sometimes the mere opportunity for fraud or theft can be too much for some people to resist. Give people free access to the payroll files, and they may decide to vote themselves a raise when no one is looking.

If you think that your network doesn’t contain any data worth stealing, think again. For example, your personnel records probably contain more than enough information for an identity thief: names, addresses, phone numbers, Social Security numbers, and so on. Also, your customer files may contain your customers’ credit card numbers.

Hackers who break into your network may be looking to plant a Trojan horse program on your server, enabling them to use your server for their own purposes. For example, someone may use your server to send thousands of unsolicited spam e-mail messages. The spam won’t be traced back to the hackers; it’ll be traced back to you.

Not everyone on the network knows enough about how Windows and the network work to be trusted with full access to your network’s data and systems. A careless mouse click can wipe out a directory of network files. One of the best reasons for activating your network’s security features is to protect the network from mistakes made by users who don’t know what they’re doing.

Two Approaches to Security

When you’re planning how to implement security on your network, first consider which of two basic approaches to security you’ll take:

Open door: You grant everyone access to everything by default and then place restrictions just on those resources to which you want to limit access.

Closed door: You begin by denying access to everything and then grant specific users access to the specific resources that they need.

In most cases, an open door policy is easier to implement. Typically, only a small portion of the data on a network really needs security, such as confidential employee records, or secrets, such as the Coke recipe. The rest of the information on a network can be safely made available to everyone who can access the network.

If you choose a closed door approach, you set up each user so that he has access to nothing. Then, you grant each user access only to those specific files or folders that he needs.

A closed door approach results in tighter security but can lead to the Cone of Silence Syndrome: Like how Max and the Chief can’t hear each other but still talk while they’re under the Cone of Silence, your network users will constantly complain that they can’t access the information that they need. As a result, you’ll find yourself often adjusting users’ access rights. Choose a closed door approach only if your network contains a lot of sensitive information, and only if you’re willing to invest time administrating your network’s security policy.

You can think of an open door approach as an entitlement model, in which the basic assumption is that users are entitled to network access. In contrast, the closed-door policy is a permissions model, in which the basic assumption is that users aren’t entitled to anything but must get permissions for every network resource that they access.

If you've never heard of the Cone of Silence, go to YouTube (www.youtube.com) and search for Cone of Silence. You'll find several clips from the original Get Smart series.

Physical Security: Locking Your Doors

The first level of security in any computer network is physical security. I’m amazed when I walk into the reception area of an accounting firm and see an unattended computer sitting on the receptionist’s desk. Often, the receptionist has logged on to the system and then walked away from the desk, leaving the computer unattended.

Physical security is important for workstations but vital for servers. Any good hacker can quickly defeat all but the most paranoid security measures if they can gain physical access to a server. To protect the server, follow these guidelines:

Lock the computer room.

Give the key only to people you trust.

Keep track of who has the keys.

Mount the servers on cases or racks that have locks.

Disable the floppy drive on the server.

A common hacking technique is to boot the server from a floppy, thus bypassing the security features of the NOS.

Keep a trained guard dog in the computer room and feed it only enough to keep it hungry and mad. (Just kidding.)

There’s a big difference between a door with a lock and a locked door. And locks are quite worthless if you don’t use them.

Client computers should be physically secure:

Instruct users to not leave their computers unattended while they’re logged on.

In high-traffic areas (such as the receptionist’s desk), users should secure their computers with the keylock, if the computer has one.

Users should lock their office doors when they leave.

Here are some other threats to physical security that you may not have considered:

The nightly cleaning crew probably has complete access to your facility. How do you know that the person who vacuums your office every night doesn’t really work for your chief competitor or doesn’t consider computer hacking to be a sideline hobby? You don’t, so consider the cleaning crew to be a threat.

What about your trash? Paper shredders aren’t just for Enron accountants. Your trash can contain all sorts of useful information: sales reports, security logs, printed copies of the company’s security policy, even hand-written passwords. For the best security, every piece of paper that leaves your building via the trash bin should first go through a shredder.

Where do you store your backup tapes? Don’t just stack them up next to the server. Not only does that make them easy to steal, it also defeats one of the main purposes of backing up your data in the first place: securing your server from physical threats, such as fires. If a fire burns down your computer room and the backup tapes are sitting unprotected next to the server, your company may go out of business and you’ll certainly be out of a job. Store the backup tapes securely in a fireproof safe and keep a copy off-site, too.

I’ve seen some networks in which the servers are in a locked computer room, but the hubs or switches are in an unsecured closet. Remember that every unused port on a hub or a switch represents an open door to your network. The hubs and switches should be secured just like the servers.

Securing User Accounts

Next to physical security, the careful use of user accounts is the most important type of security for your network. Properly configured user accounts can prevent unauthorized users from accessing the network, even if they gain physical access to the network. The following sections describe some of the steps that you can take to strengthen your network’s use of user accounts.

Obfuscating your usernames

Huh? When it comes to security, obfuscation simply means picking obscure usernames. For example, most network administrators assign usernames based on some combination of the user's first and last name, such as BarnyM or baMiller. However, a hacker can easily guess such a user ID if he or she knows the name of at least one employee. After the hacker knows a username, he or she can focus on breaking the password.

You can slow down a hacker by using names that are more obscure. Here are some suggestions on how to do that:

Add a random three-digit number to the end of the name. For example: BarnyM320 or baMiller977.

Throw a number or two into the middle of the name. For example: Bar6nyM or ba9Miller2.

Make sure that usernames are different from e-mail addresses. For example, if a user's e-mail address is [email protected], do not use baMiller as the user's account name. Use a more obscure name.

Do not rely on obfuscation to keep people out of your network! Security by obfuscation doesn’t work. A resourceful hacker can discover the most obscure names. Obfuscation can slow intruders, not stop them. If you slow intruders down, you’re more likely to discover them before they crack your network.

Using passwords wisely

One of the most important aspects of network security is the use of passwords.

Usernames aren’t usually considered secret. Even if you use obscure names, even casual hackers will eventually figure them out.

Passwords, on the other hand, are top secret. Your network password is the one thing that keeps an impostor from logging on to the network by using your username and therefore receiving the same access rights that you ordinarily have. Guard your password with your life.

Here are some tips for creating good passwords:

Don’t use obvious passwords, such as your last name, your kid’s name, or your dog’s name.

Don’t pick passwords based on your hobbies. A friend of mine is a boater, and his password is the name of his boat. Anyone who knows him can quickly guess his password. Five lashes for naming your password after your boat.

Store your password in your head — not on paper.

Especially bad: Writing your password down on a sticky note and sticking it on your computer’s monitor.

Most network operating systems enable you to set an expiration time for passwords. For example, you can specify that passwords expire after 30 days. When a user’s password expires, the user must change it. Your users may consider this process a hassle, but it helps to limit the risk of someone swiping a password and then trying to break into your computer system later.

You can configure user accounts so that when they change passwords, they can’t reuse a recent password. For example, you can specify that the new password can’t be identical to any of the user’s past three passwords.

You can also configure security policies so that passwords must include a mixture of uppercase letters, lowercase letters, numerals, and special symbols. Thus, passwords like DIMWIT or DUFUS are out. Passwords like 87dIM@wit or duF39&US are in.

  Some administrators of small networks opt against passwords altogether because they feel that security isn’t an issue on their network. Or short of that, they choose obvious passwords, assign every user the same password, or print the passwords on giant posters and hang them throughout the building. Ignoring basic password security is rarely a good idea, even in small networks. You should consider not using passwords only if your network is very small (say, two or three computers), if you don’t keep sensitive data on a file server, or if the main reason for the network is to share access to a printer rather than sharing files. (Even if you don’t use passwords, imposing basic security precautions, like limiting access that certain users have to certain network directories, is still possible. Just remember that if passwords aren’t used, nothing prevents a user from signing on by using someone else’s username.)

Generating passwords For Dummies

How do you come up with passwords that no one can guess but that you can remember? Most security experts say that the best passwords don’t correspond to any words in the English language but consist of a random sequence of letters, numbers, and special characters. Yet, how in the heck are you supposed to memorize a password like Dks4%DJ2? Especially when you have to change it three weeks later to something like 3pQ&X(d8.

Here’s a compromise solution that enables you to create passwords that consist of two four-letter words back to back. Take your favorite book (if it’s this one, you need to get a life) and turn to any page at random. Find the first four- or five-letter word on the page. Suppose that word is When. Then repeat the process to find another four- or five-letter word; say you pick the word Most the second time. Now combine the words to make your password: WhenMost. I think you’ll agree that WhenMost is easier to remember than 3PQ&X(D8 and is probably just about as hard to guess. I probably wouldn’t want the folks at the Los Alamos Nuclear Laboratory using this scheme, but it’s good enough for most of us.

Here are additional thoughts on concocting passwords from your favorite book:

If the words end up being the same, pick another word. And pick different words if the combination seems too commonplace, such as WestWind or FootBall.

For an interesting variation, insert a couple of numerals or special characters between the words. You end up with passwords like into#cat, ball3%and, or tree47wing. If you want, use the page number of the second word as a separator. For example, if the words are know and click and the second word comes from page 435, use know435click.

To further confuse your friends and enemies, use medieval passwords by picking words from Chaucer’s Canterbury Tales. Chaucer is a great source for passwords because he lived before the days of word processors with spell-checkers. He wrote seyd instead of said, gret instead of great, welk instead of walked, litel instead of little. And he used lots of seven-letter and eight-letter words suitable for passwords, such as glotenye (gluttony), benygne (benign), and opynyoun (opinion). And he got A’s in English.

  If you use any of these password schemes and someone breaks into your network, don’t blame me. You’re the one who’s too lazy to memorize D#Sc$h4@bb3xaz5.

If you do decide to go with passwords, such as KdI22UR3xdkL, you can find random password generators on the Internet. Just go to a search engine, such as Google, and search for Password Generator. You’ll find Web pages that generate random passwords based on criteria that you specify, such as how long the password should be, whether it should include letters, numbers, punctuation, uppercase and lowercase letters, and so on.

Secure the Administrator account

It stands to reason that at least one network user must have the authority to use the network without any of the restrictions imposed on other users. This user is the administrator. The administrator is responsible for setting up the network’s security system. To do that, the administrator must be exempt from all security restrictions.

Many networks automatically create an administrator user account when you install the network software. The username and password for this initial administrator are published in the network’s documentation and are the same for all networks that use the same network operating system. One of the first things that you must do after getting your network up and running is to change the password for this standard administrator account. Otherwise, your elaborate security precautions are a complete waste of time. Anyone who knows the default administrator username and password can access your system with full administrator rights and privileges, thus bypassing the security restrictions that you so carefully set up.

Don’t forget the password for the administrator account! If a network user forgets his or her password, you can log on as the supervisor and change that user’s password. If you forget the administrator’s password, though, you’re stuck.

Managing User Security

User accounts are the backbone of network security administration. Through the use of user accounts, you can determine who can access your network as well as what network resources each user can and can’t access. You can restrict access to the network to just specific computers or to certain hours of the day. In addition, you can lock out users who no longer need to access your network. The following sections describe the basics of setting up user security for your network.

User accounts

Every user who accesses a network must have a user account. User accounts allow the network administrator to determine who can access the network and what network resources each user can access. In addition, the user account can be customized to provide many convenient features for users, such as a personalized Start menu or a display of recently used documents.

Every user account is associated with a username (sometimes called a user ID), which the user must enter when logging on to the network. Each account also has other information associated with it. In particular:

The user’s password: This also includes the password policy, such as how often the user has to change his or her password, how complicated the password must be, and so on.

The user’s contact information: This includes full name, phone number, e-mail address, mailing address, and other related information.

Account restrictions: This includes restrictions that allow the user to log on only during certain times of the day. This feature can restrict your users to normal working hours so that they can’t sneak in at 2 a.m. to do unauthorized work. This feature also discourages your users from working overtime because they can’t access the network after hours, so use it judiciously. You can also specify that the user can log on only at certain computers.

Account status: You can temporarily disable a user account so the user can’t log on.

Home directory: This specifies a shared network folder where the user can store documents.

Dial-in permissions: These authorize the user to access the network remotely via a dialup connection.

Group memberships: These grant the user certain rights based on groups to which she belongs.

For more information, see the section, “Group therapy,” later in this chapter.

Built-in accounts

Most network operating systems come preconfigured with two built-in accounts, Administrator and Guest. In addition, some server services, such as web or database servers, create their own user accounts under which to run. The following sections describe the characteristics of these accounts.

The Administrator account: The Administrator account is the King of the Network. This user account isn’t subject to any of the account restrictions to which mere mortal accounts must succumb. If you log on as the administrator, you can do anything. For this reason, avoid using the Administrator account for routine tasks. Log in as the Administrator only when you really need to.

Because the Administrator account has unlimited access to your network, it’s imperative that you secure it immediately after you install the server. When the NOS Setup program asks for a password for the Administrator account, start with a good random mix of uppercase and lowercase letters, numbers, and symbols. Don’t pick some easy-to-remember password to get started, thinking you’ll change it to something more cryptic later. You’ll forget, and in the meantime, someone will break in and reformat the server’s C: drive or steal your customer’s credit card numbers.

The Guest account: Another commonly created default account is the Guest account. This account is set up with a blank password and — if any — access rights. The Guest account is designed to allow anyone to step up to a computer and log on, but after they do, it then prevents them from doing anything. Sounds like a waste of time to me. I suggest you disable the Guest account.

Service accounts: Some network users aren’t actual people. I don’t mean that some of your users are subhuman. Rather, some users are actually software processes that require access to secure resources, and therefore, require user accounts. These user accounts are usually created automatically for you when you install or configure server software.

For example, when you install Microsoft's web server (IIS), an Internet user account called IUSR is created. The complete name for this account is IUSR_<servername>. So if the server is named WEB1, the account is named IUSR_WEB1. IIS uses this account to allow anonymous Internet users to access the files of your website.

Don’t mess with these accounts unless you know what you’re doing. For example, if you delete or rename the IUSR account, you must reconfigure IIS to use the changed account. If you don’t, IIS will deny access to anyone trying to reach your site. (Assuming that you do know what you’re doing, renaming these accounts can increase your network’s security. However, don’t start playing with these accounts until you’ve researched the ramifications.)

---

---

User rights

User accounts and passwords are the front line of defense in the game of network security. After a user accesses the network by typing a valid user ID and password, the second line of security defense — rights — comes into play.

In the harsh realities of network life, all users are created equal, but some users are more equal than others. The Preamble to the Declaration of Network Independence contains the statement “We hold these truths to be self-evident, that some users are endowed by the network administrator with certain inalienable rights. . . .”

The rights that you can assign to network users depend on which network operating system you use. These are some of the possible user rights for Windows servers:

Log on locally: The user can log on to the server computer directly from the server’s keyboard.

Change system time: The user can change the time and date registered by the server.

Shut down the system: The user can perform an orderly shutdown of the server.

Back up files and directories: The user can perform a backup of files and directories on the server.

Restore files and directories: The user can restore backed-up files.

Take ownership of files and other objects: The user can take over files and other network resources that belong to other users.

NetWare has a similar set of user rights.

Permissions (who gets what)

User rights control what a user can do on a network-wide basis. Permissions enable you to fine-tune your network security by controlling access to specific network resources, such as files or printers, for individual users or groups. For example, you can set up permissions to allow users into the accounting department to access files in the server's ACCTG directory. Permissions can also enable some users to read certain files but not modify or delete them.

Each network operating system manages permissions in a different way. Whatever the details, the effect is that you can give permission to each user to access certain files, folders, or drives in certain ways. For example, you might grant a user full access to some files but grant read-only access to other files.

Any permissions you specify for a folder apply automatically to any of that folder’s subfolders, unless you explicitly specify different permissions for the subfolder.

You can use Windows permissions only for files or folders that are created on drives formatted as NTFS or ReFS volumes. If you insist on using FAT or FAT32 for your Windows shared drives, you can’t protect individual files or folders on the drives. This is one of the main reasons for using NTFS for your Windows servers.

Group therapy

A group account is an account that doesn’t represent an individual user. Instead, it represents a group of users who use the network in a similar way. Instead of granting access rights to each of these users individually, you can grant the rights to the group and then assign individual users to the group. When you assign a user to a group, that user inherits the rights specified for the group.

For example, suppose that you create a group named Accounting for the accounting staff and then allow members of the Accounting group access to the network’s accounting files and applications. Then, instead of granting each accounting user access to those files and applications, you simply make each accounting user a member of the Accounting group.

Here are a few additional details about groups:

Groups are one of the keys to network management nirvana. As much as possible, avoid managing network users individually. Instead, clump them into groups and manage the groups. When all 50 users in the accounting department need access to a new file share, would you rather update 50 user accounts or just 1 group account?

A user can belong to more than one group. Then, the user inherits the rights of each group. For example, you can have groups set up for Accounting, Sales, Marketing, and Finance. A user who needs to access both Accounting and Finance information can be made a member of both groups. Likewise, a user who needs access to both Sales and Marketing information can be made a member of both the Sales and Marketing groups.

You can grant or revoke specific rights to individual users to override the group settings. For example, you may grant a few extra permissions for the manager of the accounting department. You may also impose a few extra restrictions on certain users.

User profiles

User profiles are a Windows feature that keeps track of an individual user’s preferences for his or her Windows configuration. For a non-networked computer, profiles enable two or more users to use the same computer, each with his or her own desktop settings, such as wallpaper, colors, Start menu options, and so on.

The real benefit of user profiles becomes apparent when profiles are used on a network. A user’s profile can be stored on a server computer and accessed whenever that user logs on to the network from any Windows computer on the network.

The following are some of the elements of Windows that are governed by settings in the user profile:

Desktop settings from the Display Properties dialog box, including wallpaper, screen savers, and color schemes

Start menu programs and Windows toolbar options

Favorites, which provide easy access to the files and folders that the user accesses often

Network settings, including drive mappings, network printers, and recently visited network locations

Application settings, such as option settings for Microsoft Word

The My Documents folder

Logon scripts

A logon script is a batch file that runs automatically whenever a user logs on. Logon scripts can perform several important logon tasks for you, such as mapping network drives, starting applications, synchronizing the client computer’s time-of-day clock, and so on. Logon scripts reside on the server. Each user account can specify whether to use a logon script and which script to use.

This sample logon script maps a few network drives and synchronizes the time:

net use m: \MYSERVERAcct

net use n: \MYSERVERAdmin

net use o: \MYSERVERDev

net time \MYSERVER /set /yes

Logon scripts are a little out of vogue because most of what a logon script does can be done via user profiles. Still, many administrators prefer the simplicity of logon scripts, so they’re still used even on Windows 2012 Server systems.

Securing Your Users

Security techniques, such as physical security, user account security, server security, and locking down your servers are child’s play compared with the most difficult job of network security: securing your network’s users. All the best-laid security plans will go for naught if your users write their passwords on sticky notes and post them on their computers.

The key to securing your network users is to create a written network security policy and to stick to it. Have a meeting with everyone to go over the security policy to make sure that everyone understands the rules. Also, make sure to have consequences when violations occur.

Here are some suggestions for some basic security rules that can be incorporated into your security policy:

Never write down your password or give it to someone else.

Accounts shouldn’t be shared. Never use someone else’s account to access a resource that you can’t access under your own account. If you need access to some network resource that isn’t available to you, formally request access under your own account.

Likewise, never give your account information to a co-worker so that he or she can access a needed resource. Your co-worker should instead formally request access under his or her own account.

Don’t install any software or hardware on your computer without first obtaining permission. This especially includes wireless access devices or modems.

Don’t enable file and printer sharing on workstations without first getting permission.

Never attempt to disable or bypass the network’s security features.