Windows NT Professional

July 1999

Close the Door on Hackers--Secure Your Network

Chances are your network contains some confidential or sensitive data. Therefore, you probably want to keep that data as secure as possible. In the March 1998 article, "Passwords 101: Ten tips for tightening Windows NT's security," we demonstrated how important a strong password policy is in defending against an attack on your network. In this article, we'll delve further into the issue of network security and discuss some relatively simple procedures you can use to keep your data from falling into the wrong hands.

User restrictions

Even though your network may have secure passwords, there's always the chance that users may tell someone else their password or try to use information on the network for their personal gain. When this happens, an employee will typically come into the office to access the network rather than using a dial-up connection, which is usually closely monitored. Since the user won't want to draw any attention, he or she may try to access the forbidden data from a PC in a remote corner of the building or plug a laptop into a vacant network jack in a secluded location. The user may also try to do this late at night when there are relatively few people in the building.

Fortunately, you can protect your network against this type of user. Both NetWare and Windows NT Server allow you to restrict which PCs a user may log in through. To do so in Windows NT, open User Manager for Domains and double-click on the user name to open the User Properties dialog box. Then, click the Logon From button to open the Logon Workstations dialog box, as shown in Figure A. Note that the Logon From button will only appear if you're managing a domain.

Figure A: You can control which PCs a given user can log on through.
[ Figure A ]

By limiting a user's access to one PC or one department's PC, you prevent the user from logging on to a PC in a secluded section of the building. In the process, you've also made it more difficult for outside hackers to access your network, because even if they figure out a password, it will work only in certain locations.

However, controlling which PCs users are allowed to log on through isn't a total solution. If users are allowed to log on through a laptop, they can plug the laptop in anywhere in the building, and the network will know only that they're logging on from an authorized PC.

To prevent this, we recommend disconnecting any unused network jacks from your hubs. If you're using a coaxial cabling topology, we suggest replacing any unused T-connectors with barrel connectors. Although a malicious user could still disconnect another PC and use that network hookup, he or she would risk drawing unwanted attention in the process.

Finally, you'll probably want to limit the times when users can log on. Obviously, you may have to be flexible for people who work lots of overtime, but using the Logon Hours dialog box shown in Figure B, you can limit everyone else's log on privileges to business hours Monday through Friday.

To open the Logon Hours dialog box, click the Hours button in the User Properties dialog box. As was the case with the Logon From button, the Hours button will appear only if you're managing a domain.

Figure B: You can also tighten security by limiting access times.
[ Figure B ]

Even those users who work overtime usually do so at consistent times throughout the week For example, suppose a user works late but is usually gone by 9:00 P.M. In that case, you might deny access between 11:00 P.M. and an hour or two before the user typically arrives in the mornings. Of course, you should use caution when restricting access times--you don't want to interfere with the productivity of legitimate users.

Don't forget inactive accounts!

Inactive accounts that belong to users who have long since left the company are wide open doors to your network--particularly if any of those former employees happen to be holding a grudge because they didn't leave the company on good terms. If you're not sure whether or not the employee will be returning to the company, we recommend disabling their user account rather than deleting it. This way you won't have to re-create the entire user profile. You can easily disable an account by double-clicking on the user name in User Manager for Domains and selecting the Account Disabled check box in the User Properties dialog box. Then, once you're sure the employee won't be rehired, delete their user account.

Remote access procedures

If people at your company use laptops, you most likely have a dial-up connection set up for remote network access. Unfortunately, remote access servers give hackers an easy way to crack your network without ever being seen. One way you can significantly reduce the chance of this happening is to use an automatic call back feature. For example, suppose that some users typically dial in to the network from home. If you're using Windows NT Server, you can set it up so that when the user logs on, the server disables the connection and then calls the user back at his or her preprogrammed home phone number. This way, you can be relatively sure that it's really that particular user who's logging on.

To configure call back, double-click on the user name in User Manager For Domains to open the User Properties dialog box. Then, click on the Dialin button to open the Dialin Information dialog box, as shown in Figure C. Select the Preset To option, enter the phone number in the text box, and click OK to accept the changes.

Figure C: To secure a dial-in account, select the Preset To option in the Dialin Information dialog box.
[ Figure C ]

Some remote access packages also allow the person logging on to specify the number the server should call back. Although this isn't as secure as using preprogrammed phone numbers, it accommodates users who travel. The server will keep a log of all phone numbers it has dialed, so you can periodically review the list for suspicious phone numbers.

Auditing

Both Windows NT Server and NetWare provide tools for auditing various network events. Using the Windows NT Audit Policy dialog box, shown in Figure D, it's easy to keep a written record of various network events. You can open this dialog box through User Manager For Domains by selecting Audit from the Policies menu.

Figure D: You can use auditing to track network usage.
[ Figure D ]

Because these tools let you audit many different events, the log files can quickly become overwhelming to read. Therefore, you should audit only those events that could be signs of someone trying to break in to your network. For example, you might keep track of login attempts that fail to provide the correct password within the number of attempts you've specified. Or, you might keep a record of people who log on after business hours. Usually, one of the first things that a hacker will do when breaking in to a system is create a network account that can be used for future access. Therefore, it's very important to audit the creation and deletion of accounts.

In a NetWare environment, you must supply a password to view the audit log. You should use a unique password and be very selective about who you give it to.

Physical location of servers and hubs

All the workstation security in the world won't help you if someone can access your server directly. Therefore, you should keep your servers behind locked doors. Keep in mind, though, that the room should be climate-controlled; don't keep your servers in a closet without air conditioning or ventilation. You should also keep your hubs in a secure location. If you don't, someone wanting to steal your data badly enough could hook a network analyzer up to a hub and steal data and passwords as they come across the wire.

Wire-tapping

It's also important to keep your LAN cables in a secure location. Otherwise, a hacker could tap a cable and steal the data packets as they go across the network. When possible, we recommend running network cables in crawl spaces or in hanging ceilings. However, if you do run cable in these areas, be sure to use the proper cabling.

Backup storage

One of the easiest ways for hackers to access your data is to steal one of your backup tapes. They could then set up their own server elsewhere and restore only the data portion of the tape, thus bypassing any security. To prevent this from happening, we recommend that you keep a fireproof vault in a secured location, such as the room where you keep your servers. As soon as you arrive in the morning, you should place the previous night's backup tape in the vault to prevent it from being stolen or accidentally damaged. Store all other backups in a secure, off-site location, so you'll be well protected against theft and natural disasters. At the end of the day, you should move the previous night's backup to the off-site location and then load a blank tape into the tape drive.

If you recycle tapes, you should erase the tape you plan on using for that night's backup before you leave for the night. The idea is to make sure that if someone steals the tape after you leave, the only thing they'll get is a blank tape. There are also a couple of things you can do when you schedule the backup to make your data more secure.

First, most backup programs will allow you to assign a password to the tape--make sure you take advantage of this feature. Second, schedule the backup so that it finishes about the same time that you arrive in the morning. That way, no one can steal the tape in the middle of the night, because the backup will still be running. If someone does steal the tape during the backup, they won't be able to get any data off of it. That's because most programs back up all the files before they write the file's location to the header of the tape.

Copyright © 1999, ZD Inc. All rights reserved. ZD Journals and the ZD Journals logo are trademarks of ZD Inc. Reproduction in whole or in part in any form or medium without express written permission of ZD Inc. is prohibited. All other product names and logos are trademarks or registered trademarks of their respective owners.