Build effective security moats with a defense-in-depth strategy.
- By Roberta Bragg
It's easy to get trapped in the cycle of vulnerability announcements,
patch announcements and patching processes. It can sap your energy,
keep you from looking at the big picture, and prevent you from building
defenses to deal with problems as yet unannounced. It can be especially
frustrating when you run into machines that can't be patched because
of some underlying application incompatibility with the changes
made by a patch. But you do it because you have to, and by now,
I hope you've applied defensive measures to prevent compromise due
to recent worms.
Once all that's done, though, what then?
The answer is defense-in-depth. Let's look at the current port
443 and port 445 attacks, many of which are new worms in response
to the PCT and LSASS vulnerabilities in MS 04-011. What benefits
would a defense-in-depth strategy have? Let's examine the layers
that should be in place.
- Network perimeter: If you're blocking access to these
ports from the Internet, you're not vulnerable to worms propagated
and present on the Internet. (If an infection already exists on
your network, or is brought in through another vector, this doesn't
- Application layer: Your first defense here, of course,
is patch application. However, defense-in-depth requires other
steps. There are specific updates for anti-virus products that
can defend against known worms, but to ensure you're protected,
and to block new worms or manual attacks, you can do more.
If you're restricting or disabling anonymous access, the current
worms, according to security researcher Thor Larholm and others,
can't take advantage of the LSASS vulnerability. Restricting anonymous
access has been a standard precaution since Windows NT 4.0, Service
Pack 3. I suspect many of you are blocking port 445 (which the worms
are targeting) at your perimeters, but the attacks on PCT, which
use port 443, can't be as easily defended against. Port 443 is also
used for SSL; therefore, every Windows server using SSL to protect
communications and authenticate servers may be vulnerable, and you
can't simply block access to that port. You can, however, ensure
that port 443 is only open to Internet access from those machines
requiring it. Secondly, the vulnerability here is with PCT, a secure
channel protocol that, like SSL, uses port 443. This protocol can
be safely disabled without impacting the use of SSL. The Registry
entry is listed in Microsoft Knowledge Base article 187498, "Disable
PCT 1.0, SSL 2.0, or SSL 3.0 on IIS".
- Host layer: Some of the application-layer defenses covered
above are known host-hardening configuration steps. Other steps
include disabling unnecessary services like telnet and TFTP --
two favorite protocols used in remote access attacks and for downloading
malicious code. As an added layer of protection, use IPSec blocking
policies to block both incoming and outgoing use of ports commonly
used in attacks. Even if the service has been disabled, an attack
might be able to take advantage of a vulnerability to enable the
service, or install its own service. Blocking outgoing communications
not part of a host's normal, required activity can prevent that
type of runaround.
- Wetware: Wetware includes all the biological aspects
of your network, like clueless users and harried administrators.
You should insist on security awareness training for all users
and continue your awareness training by keeping in touch with
security lists, newsletters and other communications. One source
you should subscribe to is Lartholm's "unpatched," www.pivx.com.
It's not a weekly tirade; just some good, timely advice when there's
something to say.
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.