Windows Security Challenge Network Holding Strong—So Far

When you invite the world to try to hack into your Microsoft network, what's the major security challenge you face? In the case of MCP TechMentor's Windows Security Challenge, it might be the security

(Seattle, Wash.) Imagine you've set up a network with Windows 2000 servers and desktops, XP desktops, Exchange, IIS, SQL Server, and ISA Server. You've followed the security guidelines set down by Microsoft, and you've applied service packs and patches that have surfaced since those products were released. Then you invite the world to try to hack into the network. What's the major security challenge you face?

In the case of MCP TechMentor's Windows Security Challenge, it's probably the fact that the security guard protecting the room where the servers are physically located keeps falling asleep.

One speaker said he was tempted to walk into the room and unplug something in order to bring the Web site down.

On day one, attendees heard the highlights of the network hardening effort, as explained by the team that did the work, including Microsoft security consultant Steve Riley, SQL Server consultant Ted Malone, IIS expert Brett Hill, firewall expert Joern Wettern and Active Directory consultant Laura Robinson, and led by MCP Magazine Contributing Editor Roberta Bragg. A diagram of the network is available at seattle/overview.asp#.

The presentations highlighted the same best practices outlined in Microsoft's Security Operations Guide, available online at treeview/default.asp?url=/technet/security/prodtech/ windows/windows2000/staysecure/.

The three-day event is hosted by 101communications and MCP Magazine.

By 6 p.m. on Wednesday the network, the network was activated and hosting a Web site at The Web page shows a simple guest book application. The information filled in by visitors poses a sort of enticement to hackers, who try to access the SQL Server holding the data.

"We're seeing a tremendous amount of attacks but there's nothing really original... It's a lot of script kiddies," said Mark Burnett, an Internet security consultant and author, who installed Snort to log activity for the project. "I haven't seen anything really serious. It goes to show just how effective the basic steps can be."

Malone, the SQL expert on the team, said visitors have tried to break into the SQL application.

"Then they tried to get into IIS. Thousands and thousands of exploits. Gave that up pretty quickly." He said the team has seen a lot of SQL injection-oriented errors, in which hackers attempt to exploit an aspect of SQL by tricking the application into running commands entered through data fields. Malone showed in his session how to prevent SQL injection problems; the fix: changing single apostrophes in the SQL code to dual apostrophes.

The question the challenge is attempting to answer, said Bragg, program chair for the event, was, "Can a small business protect against the threats that are out there?" Her conclusion: "It is not that hard. It takes time. It takes commitment."

But there's a bigger issue at stake, she said. "It's not about securing your world; it's about securing the world." That, she said, requires a different mindset.

The network will remain live until the end of Thursday.

About the Author

Dian L. Schaffhauser is a freelance writer based in Northern California.

comments powered by Disqus

Reader Comments:

Tue, Nov 11, 2008 Anonymous Anonymous

Fri, May 2, 2008 Anonymous Anonymous

FXxNIW doors2.txt;6;6

Thu, Sep 26, 2002 TT Anonymous

Anonymous, did you happen to look at the date the article was published? July 11. (Thursday, in case you don't happen to have a calendar.) What date did you try accessing the web site? August 1. THREE WEEKS LATER!!!

Thu, Aug 1, 2002 Anonymous Anonymous

The network will remain live until the end of Thursday.

today is thursday dumbass

Thu, Aug 1, 2002 Anonymous Anonymous

No, it means that the contest was over YESTERDAY, and the site it not up anymore.

Thu, Aug 1, 2002 Anonymous Anonymous

DDoS attack? or was it hacked

Wed, Jul 31, 2002 mcse Anonymous

Maybe when you say "invite the world" you should do that. I follow several security and penetration-testing mailing list, and have never heard of this challenge until today. When and where was this invitation publicized?

Fri, Jul 19, 2002 Edna Ractre NZ

The Microsoft Security Challenge is a great idea and I thoroughly applaud it.
As security professionals we have a responsibility to promote secure computing practices.
A couple of thoughts, not aimed at Microsoft directly, rather at all software vendors and developers....
* Surely best practice would be for products to default to a secure state straight from the box.
* As a computing community we seem to concentrate on border security rather than building secure operating systems, applications and databases. I'm not saying we don't need firewalls etc, what I really want to know is do we really need all that extra functionality (and it's inherent security flaws) and does it need to be rushed to market so quickly without adequate testing?

Mon, Jul 15, 2002 Billy Meade Anoka, Minnesota

As one of the participants there, I'd like to say that the setup and configuration of these servers were taken from best practices, already published by Microsoft. There were extra "precautions" that you wouldnt necessarily find on the majority of networks out there in the "real" world. however...everything that was done is published & documented by microsoft. My hats off to the setup & configuration team responsible for this network. They did an excellant job (especially considering the timeframe!)
I look forward to the next challenge and hope that the comments regarding the Attendee's doing the actual configuration & Setup will be taken in to account.
Kudo's to all of you at the conference, and thanks for an enjoyable and learning experience.

Billy Meade

Sun, Jul 14, 2002 Roberta Bragg unsure

What Steve and Blackhawk said were true. I'd like also to note that 95% of what we did is from publically available documents on Microsoft's site. Check out the Security Operations Guide, and white papers on SQL server and Exchange and ISA Server. The other 5% is that extra knowledge that you get when you bring experts into play. The objective of the exercise was to do just that - use publically available documents. And part of the time was spent on hardening file server, and clients and domain controllers which never got tested. Time was our major issue - not lack of knowledge. Given more time, I could take anonymous and a few others and duplicate the process.

Fri, Jul 12, 2002 Steve Riley Seattle, WA

Yep, I'm the one mentioned in the article. The prime reason we had six people building the network isn't because we needed "six security brains," but because we had only one day to get it up and running. Building a network with 11 computers, two hubs, a switch, a firewall, and a router takes time, of course. So we had each person be responsible for his/her own computers. And besides -- it really does take more than one person even for a small network like this. I'm completely comfortable with ISA Server and Exchange, but not SQL -- it isn't my area of expertise. That's why we had Ted for that. Finally, Anonymous asks about details -- none of us did anything esoteric. We followed basic guidelines available from Microsoft and many other locations to secure IIS, ISA Server, Exchange, the CA, and the domain controllers. Ted's information on SQL Security is still rather new and will be documented soon.

Fri, Jul 12, 2002 Anonymous Anonymous

what would also have been a good idea would have been to have an "unannounced" setup somewhere on the internet to see how long it took before that started to have attacks on it! Like the first person said, it has taken a lot of collective resources to secure this site. Are the details of what you did going to be made public so that everyone else can benefit from the experience without having to buy expensive (foreign) courses

Fri, Jul 12, 2002 Blackhawk Seattle, WA

Well, first... Welcome to the real world. The perimeter firewall, a TYPICAL portion of a well design network security was set up as "generic" as possible.
The necessary ports were wide open. Port 80 to the IIS (only port 80, but hey, it's a web server!). Ports 25, 80, 135 and EVERYTHING above 1024 to the ISA server. Handling SMTP, WWW, and MS-RPC services. Being wide open on the firewall means there were no additional "services" proving that the alternate vendor (or admin) were too cool for the hackers.
Wide open means no additional filtering of half-open connections, malformed packets or anything else. A perimeter firewall, alternate vendor or not, should be part of the network security. Security is NEVER a one-box solution. No matter whose solution you pick, if you choose this method, you are destined to fail.
Oh, and the Snort box and Cisco IDS system were used to gather information only about incoming information. They weren't set up as TRUE IDS systems, which typically would shun individual attackers. So you can't count them either!
And shouldn't we all strive to be experts to think of the things necessary to secure our networks at every point? Six people or just one person doesn't matter.

Thu, Jul 11, 2002 x y Anonymous

Great. So now we know the answer to the question, "how many people does it take to set up a Windows network that is so secure, it can go a week without being hacked?"

It only takes 6 MCSE experts, including Roberta Bragg and a Microsoft consultant.

And only as long as you've put your Microsoft ISA firewall behind a non-Microsoft firewall, and added in opensource software such as Snort for intrusion detection, like they did here. How can you prove the claim that Microsoft products like ISA are secure if you need to protect your $1,500 Microsoft firewall with another vendor's firewall?

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.