Editor's Desk

Fake Out

A controlled security challenge still provides valuable lessons.

As you can tell, this month’s theme in the magazine is security. We offer an extensive piece on intrusion detection software and look at four major IDS offerings. And Roberta Bragg starts a sometimes-series on how to harden the Windows network.

The timing is superb, because she and Senior Editor Keith Ward have just wrapped up the MCP TechMentor Summit on Security. No doubt, if you get on our Web site or receive our newsletters, you’ve read something about the Windows Security Challenge. A team of experts spent the day hardening a “typical” network using Microsoft security guidelines, which included a Windows 2000 server, Exchange server, SQL Server, IIS and ISA Server. Then they invited the world to crack into it.

As Keith wrote in his online wrap-up story, “After 31 hours and 40,000 attacks, the Windows 2000 network set up and hardened...remained uncompromised.”

Naturally, it was rigged. They called on some of the biggest names in Windows security to effect the hardening—people who aren’t ordinary sys admins and could really concentrate on the job at hand. Hackers had only 36 hours to crack in—hardly enough time to show real creativity with their efforts. The system had no end-users, which eliminated a major set of vulnerabilities. Attendees were discouraged from launching denial-of-service attacks, as it would have stopped the game for everybody. And those of us on site were barred from physically touching the network and, say, walking off with a server.

So doesn’t that make the Challenge merely a meaningless exercise in control freak behavior? Actually, even under those parameters, the endeavor showed its weaknesses.

First, the first security guard hired to watch over the network kept falling asleep. Second, in his exhaustion, one of the hardening experts left a floppy disk with some passwords on it in one of the drives. Third, an insider decided to gain physical access to the network in violation of the stated rules. Security consultant Mark Burnett filled the new security guard full of soda, waited until he had to go to the bathroom, and changed the username and password for the administrator account on a server. Truly cunning behavior.

Steve Riley, a Microsoft security expert who configured security for the Exchange server, said the attack should serve as a warning to companies. “The people with the broadest and most thorough access to your company are the lowest-level employees, the security guards and janitors. It’s something you’re going to have to think about.”

Even if you do consider the Challenge a fake structure, its artificiality might be worth emulating. Nothing prevents you from organizing a team of company experts to harden your Windows network. Concentrate on the job for a day or a week—however long it takes. Impose restrictions to reduce internal weaknesses. Figure out stronger separations between the users and servers. Address the basics, which will take care of most of the security problems your network will face.

I’d enjoy hearing how your company approaches the challenge of security. I’m at dian.schaffhauser@mcpmag.com.

About the Author

Dian L. Schaffhauser is a freelance writer based in Northern California.

Featured

  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

  • Datacenters in Space: OrbitsEdge Partners with HPE

    A Florida-based startup is partnering with Hewlett Packard Enterprise in a deal that gives new meaning to the "edge" in edge computing.

  • Windows 10 Hyper-V vs. Windows Server Hyper-V: Which Platform for Which Workloads?

    The differences between these two Hyper-V versions are pretty significant, depending on what you plan to use them for. Here's a quick rundown of each platform, from their features to licensing quirks to intended use cases.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.