Protect your network: Hide your servers
Brien M Posey
Published: 09 Jul 2003 15:10 BST
Just about every office I've ever worked in has had trouble with curious users. In a Windows network, the biggest problem is that any user can open the Network Neighborhood or My Network Places and see a complete listing of all of the machines that are currently on the same network -- including servers. In and of itself, this isn't really a problem, assuming that your servers are secure and you don't have malicious users. However, many companies have visible servers that aren't completely secure -- and a few malicious users, to boot. Let's take a closer look at this problem and what you can do to mitigate it.
Those pesky users
Some users are just naturally curious. They'll double-click on machines in the network browse list to see whether any shares show up and just to take a look at what's available on the network. In fact, I once caught an employee systematically going through every machine to see what share points existed on them. When I asked her what she was doing, she told me that she was trying to familiarise herself with the network by seeing exactly what data directories and what application folders she had rights to.
In that particular situation, I honestly believe that the user was telling me the truth and that her actions were harmless. Of course, her actions might not have been harmless if I hadn't done my job properly. Suppose that I had accidentally overlooked a share point that should have been tightly secured. The user's innocent actions could then have jeopardised a server.
The other problem with having visible servers is that they're tempting targets for hackers within your company. Countless reports suggest that most security breaches on corporate networks come from within the company, and I have seen real-world examples of this time and time again.
At the risk of embarrassing myself, one such example involves me directly. When I got my first network administration job, I was 18 years old and had just graduated from high school. My programming skills were excellent, but I knew very little about networking (comparatively speaking).
My boss understood that I was a trainee and that I already had some basic networking knowledge. She gave me limited access to the network rather than just giving me administrative access on my first day. She then suggested that I use my access to start familiarising myself with the network. I started looking around and eventually, curiosity got the best of me. I launched an elevation of privileges attack against the network and by my third day on the job, I had created a user account with administrative privileges.
Another case in which the ability to see the server's browse list allowed an internal attack occurred at the same company about two years after I was hired. One of the departments had hired a guy to answer the phones. However, the phones didn't ring much, and he started getting bored, so he turned his attention to the network. He had downloaded some hacker utilities from AOL and started using them against the corporate network.
Although he never gained administrative access, he did manage to derive a considerable amount of information about the network. Fortunately for the IT staff, the guy loved to show off his exploits to his friends and one of them ratted him out.
Previous
Did you find this article useful?
108 out of 217 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
