Proactive vs. reactive security
If your company is proactive with layered security, then security is an ongoing consideration in the design and planning phases of your network implementation and administration; your company has most likely:
If your company is reactive, security is an afterthought and a desperate measure to recover from an attack that can lead to unnecessary user and/or customer downtime, which can cost your company thousands or millions in damages - your company has most likely:
COM Internet services security: Dtcsetup
Did you know that if a hacker (or an administrator inadvertently) executes the "dtcsetup" stand-alone program located in the system32 folder on a critical production Windows 2000 server that it will stop your MS DTC service indefinitely and begin the process of re-copying MS DTC files? Consider moving setup and administrator-level programs off your servers.
Packet security/reference tracking
In COM Internet Services, go to the Default Properties tab and click on check box to run "on this computer." At a minimum, change the default Authentication Level to Packet Security and Impersonation Level to Impersonate. Enable "Provide additional security for reference tracking." In the MSDTC tab, change the location and file name of the log file DTCLog.
Enter a TCP/IP port range for DCOM Intranet in the Default Protocols tab of My Computer in Component Services. Next, remove the other unused protocols. Then, go to Default Security tab, and edit "access permissions."
You may want to add the administrators group and set type of access to "Deny DefaultAccessPermission," to prevent administrators from accessing your application. You can also use this permission in conjunction with "Allow DefaultAccessPermission" for other users. Consider removing Administrators from Default Launch Permissions also.
Set and test the following security changes for COM+ Applications. Make sure that you understand your application and external dependencies (to other applications) before making these modifications. You many need to tune the process settings (I.E., leave process running when idle or shut down the process) to find a secure and functional configuration that works in your environment. Included are some IIS components to assist you Web server application.
Set COM+ QC DLQL to enforce access checks, to perform access checks at the process and component level, and to use packet for authentication level and impersonate for impersonation level. Specify a unique account and password in the Identity tab. Activate components in a dedicated server process. Set server process shutdown (in Advanced tab) when idle to one minute. Disable deletion and changes.
Serious about security
It's been my experience that IT professionals have often overlooked some of these basic security steps. If your serious about security, you must pay close attention to security details and leave no room for hackers.
In the absence of network security, exists an opportunity for intrusion.
Please write to me and let me know if this article has brought to light any potential weak links in your enterprise network.
For more information:
You can find over 100 security tips to protect your network today in Luis' new security book titled, "The Weakest Security Link Series," 1st edition 2003 available at Barnes and Noble. Visit my website for more information at www.medinasystems.com.
Luis Medina is the author of "The Weakest Link Series," which offers network managers an opportunity to identify ongoing network security issues. Luis also answers security questions in our Ask-the-Expert section. Submit a security question to Luis here or view his previously answered Ask-the-Expert questions.