Securing the internal Windows network

When performing your internal tests, be sure to add the following commonly overlooked weaknesses to your testing to-do list:

1. Test for share, directory, and (if needed) file permissions to ensure that only authorized users can read, write, or do whatever to sensitive information on your systems. Do this for both servers and workstations. I come across a lot of shares and unprotected directories on Windows workstations -- oftentimes that anyone and everyone on the network has free reign to.

Create a new plain-vanilla domain user, login as that user, and see what you can see and touch. You'll likely be unpleasantly surprised. Also look at explicit share and NTFS permissions for groups and users as well. This can be very tedious work but it needs to be done if you're going to keep your systems locked down internally.

The best way to go about doing this is using the right tools. Figure 1 shows DumpSec's share permission function and Figure 2 shows LANguard Network Security Scanner's Share Finder tool. Both tools are great for tracking down and auditing specific permissions that would otherwise take forever to do manually.

Figure 2 - LANguard Network Security Scanner's Share Finder can track down shares, permissions, and more

2. Dig deeper and search your shares and directories for sensitive information that's not properly secured. You can use the text search capabilities of Windows Explorer but I prefer a faster and more robust freeware or commercial application like Google Desktop Search or Effective File Search as shown in Figure 3. Plug in some regular expressions and other text you think may point you to sensitive information such as "dob" for date of birth, "ssn" for social security number, and so on and see what your search utility finds. You may want to narrow your search down to text-based files such as DOC, PDF, TXT, RTF, XLS, etc. to cut down your scan times. You'll likely find unprotected sensitive information scattered about temp directories and the Windows desktop on local workstations and various directories on your file servers. If you don't find anything, you probably haven't looked deeply enough, so keep experimenting with your test queries.

3. Connect a network analyzer to your network backbone and see what's leaving the network. Again, another test that'll likely uncover some issues you didn't know existed on your Windows network. Simply connect your favorite network analyzer to your switch's mirror or span port (or to a local hub that your perimeter firewall is connected to) and see which protocols are in use and who your top talkers are. I like using EtherPeek SE for this because it has a "monitor" mode that will allow you get an overview of what's going on without having to go to the trouble of capturing actual packets. You can let your network analyzer run for a few hours in the middle of the day or over a period of a few days to get a good cross section. Either way, I'm confident you'll find traffic, conversations, and possibly even employee shenanigans you never had a clue were taking place on the network.

Figure 4 shows EtherPeek's discovery of questionable protocols that shouldn't have been on a network. Hmm -- encrypted POP3 e-mail, SSH, and AOL Instant Messenger all coming from the same intern's machine? You've got to wonder what's going on with a setup like this.

There's one final issue worth mentioning that's much less likely to occur than the misdeeds mentioned above but can still take place. This issue is a rogue insider exploiting a vulnerability he's discovered doing a quick vulnerability scan of the network. Using a number of free and easy to use tools, a contractor could scan a few hosts and come across a weakness such as the Backup Exec Remote Agent Authentication Vulnerability. If he has any computer-savvy about him, he could simply download and run Metasploit to gain a remote command prompt with full access to the system. All it takes is about 3 minutes and, boom, he's in! I've outlined how to use Metasploit for real-world security tests in this recent tip.

Some of these tests can take some time and effort to perform but they really need to be done to ensure your systems are secure from the insider threat. You don't necessarily need to run them each month or every quarter but at least make them part of an annual testing program.

About the author: Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.

This tip originally appeared on SearchWindowsSecurity.com.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in Security across network boundaries with Secure Mobile Architecture USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network security: Empower users without endangering IT Network analysis -- Enhancing security assessments VPN security: Hiding in plain sight, using network encryption Network Security Monitoring Networking data visualization not just for pointy-headed bosses Visual Security Analysis -- 'Applied Security Visualization,' Chapter 5 SIEM platform secures university's open network Network forensics appliance gets storage boost and 10 GbE support Tracking NetFlow over MPLS helps airline with compliance Securing the new network architecture: Security for distributed, dynamic networks When it comes to data loss prevention, networking should be part of the conversation What is data loss prevention? -- An introduction to DLP What are the best methods for handling rogue access points? Internet monitoring vendor adds throttling, filtering, to its appliance RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.