*Caveat lector*

• Protecting our resources from "Bad Guys" on the outside..
• Protecting our resources from "Bad Guys" on the inside <g>..

Resources usually, but not always, imply files or computer identities..

Strange enough, after reading books on this subject, and from my own observations, by far, the biggest "dangers" are within.. Especially fromm people who have physical access to the computer(s) in question or have access to the networking cabling.. These enemies within being: "spies", disgruntled employees, x-spouses, errant kids and any other type of malcontent you could dream up..
At this point, it appears, we even have to protect ourselves from certain programs that we run.. The Audio program "Real Jukebox" comes to mind..
This little spy is/was busy sending private, personal data to the programmers/company who created it..

For the sake of brevity, I'm going to skip the Bad Guy "within"..
I'll leave it to you, the reader, to figure out how to handle this "danger"..
I'll concentrate on the Bad Guy "without"..

• What are we trying to protect??
• What can these many and sundry network miscreants steal from us?
• usually want to do one of three things..
  

1.      Vandalize.. Erase hard drives, etc, similar to virus/trojan writers..
       
2.      Snoop/steal/store files from/to our disk drives..
       
3.      Use our machines to hide their identity from others..

There are subcategories that fall under these general ideas as well..

By the way:

         [TCP = Transport Control Protocol]
         [UDP = User Datagram Protocol]
         [ICMP = Internet Control Message Protocol]

The way these services are "checked" depends.. Anything from a simple telnet client, (every OS comes with one), to sophisticated scanning software, packet sniffing tools, etc, etc.. The "tools" are "loser dependent" depending upon his/her/its wherewithal..

Remember, each service has an assigned port, or address, in which it "listens" for requests..

To name just a few:
     WWW (port 80)
     FTP (port 21)
     Telnet (port 23)
     smtp (mail, port 25)
     netbios (Windows, ports 138,139)

Well known TCP/UDP ports are the ports that number from 0-1023..
Checking *all* of these well known ports/services, or all ports *period*, (there are a possible 65536) is called "port scanning"..  Strange enough, most NOS (Network operating systems I.E., the various flavors of Unix, and windows NT) kernels are reasonably good about disallowing unauthorized access and have decent password algorithms..   Unfortunately, some of the *services*/programs running under these kernels are notoriously lax/buggy/etc when it come to security, and the OS kernel ->trusts<- these services, doing whatever they request.. What is a service?

A service is a _trusted_ software driver/componet that performs a "service" for clients.  For example, an FTP server, a mail spooler (server), a getty (telnet) server, programs that facilitate file/printer sharing across a network, and so forth.. Most of these programs come with the OS, and the configuration for them is either in configuration files in the /etc directory or, in NT, buried in the registry..

Now, in order for losers to gain access, they need either:

->user name and password<-..
or
->program/service, running with root/adminstrator privileges
     that they can command<-

A plus..
Scripting is also available under NT, but is no where near as efficient.. A lot of windows programs/services don't even accept a: "command tail", don't/can't use "piping", etc, making frontend/backend scripts impractical..
So, with that being said, a problem arises in our war on losers..
"Tight" security makes the box, for the most part, unusable.. Or, at least, no fun.. Sigh.. Paranoia has its price..
Let us move on to reasonable, compromised solutions.. The purpose of this article..
I have not really mentioned win95/98 thus far.. There is a reason..
Further, most people who read this are running this OS.. The reason is simple..
This OS was/is not a secure, network OS.. This is not a slight, by the way, as network security was not the design criteria for this OS..
*Compatibility* was the criteria.. Microsoft did a good job on this aspect, in my opinion.. Other than making sure you have your "sharing" turned off, their is little else you can do.. One has to run third party security/monitoring software..
(More on this later).. Most of the suggestions below relate to NT, as few of these options are available in win95/98..

     I'm not going to delve into unix specifics either as most people in this group don't use it.. (Saves a lot of typing <g>..) Rules good for NT are good for Unix (linux) as well..
     Here's a few simple suggestions..
1: When you install your Windows OS (95/98/NT), don't use the default directory: name.. I.E: C:\windows or C:\winnt Chose another name (don't worry, it will work fine) and, if you have the wherewithal, another drive letter..  *None* of: my box's contain a "C:" drive.. Why would we want to do this?? Most of the virus/worm writing losers have a habit of "hardcoding" directory/path names into their abhorrent "work".. If the directory, hardcoded by fools, doesn't exist, the virus/worm won't: work..

2: Under NT/Unix, set yourself up an ordinary account giving yourself as *few* privileges as necessary.. Just enough to get the job done/run the software you want to run.. Then use this account for all your day to day, ordinary work.. Why?? Virtually every program you run, runs in the "context" of the current user.. I.E., the program has the same privileges as the user who: invokes it.. If you don't have the rights to setup up services, write to certain parts of the registry, etc, virus programs/worms such as backorifice, etc, *CAN'T* install themselves.. They count on you running as the administrator..
The *only* person under NT with those rights.. This is a simple, but powerful, way to short circuit a lot of shenanigans.. Also, rename the built in administrator account to something else and don't forget to use a good password as well..
When a loser tries to gain access to your box, why make it easy?? If the administrator account uses (keeps) the name "administrator", the loser already *has*/knows the account name.. All he needs is a password..

3: NT users, consider doing this as well.. Change the permission of the:
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
     Run
     Runonce
     RunonceEx

key to ->read only<- *period* for all.. Further, *remove* all but administrator and system from the access to those keys.. That way, no "backdoor" program can schedule itself to run upon bootup.. Use NTFS (see number eight on NTFS) to make *all* the startup folders *read only*.. When you need to install new software that may need these keys/folders, you can change them back on a case by case basis.. By the way, when you *do* install new software, and if you use a network/proxy, make: sure the proxy stays *offline* and turn your logging on to "log everything"..
If "someone" <g> tries to "call home" you will be aware of it.. Further, if such an attempt is detected, one can filter/lockout access to whomever the software is trying to contact.. This has happened to me on more than one occasion and aggravated me to no end..
Unfortunately, the dialup networking does not have the ability to log user's outgoing, dialup traffic, as far as I'm aware.. You can log the modem's activity to a degree, and log all incoming dialup activity via RAS, but that does us little good for the discussion at hand..

4: For NT users, get into your user manager and set the account policy to disallow login's to an account after, (about) 10 tries.. That should be more than enough.. Also make it *stay* locked out for about an hour.. This will prevent losers from trying to "brute force" your password.. This is a good option for downloader's, etc, who keep their machines connected for long: periods of time.. I would not recommend choosing the option to locking out the account forever, as you could end up locking out the administrators account ->permanently<-, if that is what the losers go after (it will be)..
Microsoft gives you a rather large gun with some of these options.. Make sure not to point it at, then blow off, your own feet.. <g>..

5: If you use win95/98, turn file/printer sharing off.. If a service is not being offered over the network, a potential intruder won't try to gain access through it..

6: For NT users, go to your bindings property sheet of your networking properties and *unbind* _all_ services, with the sole exception of TCP/IP from whatever interface(s) that are exposed to the Internet.. This would include your WAN (wide area networks, I.E. modems), your direcpc card (if you have one of the lobotomized things <g>..) and any other network card that has access to the "outside".. This is important, as you are telling the OS that *none* of these services should be available to these interfaces.. It is _these_ services, netbios, server, RAS, workstation, etc, that the losers try to get in through.. Make sure you have the IP forwarding feature on each network card *turned off*, as well..

7: Again for NT users.. Most services run under the "System" account.. Indeed, for some, this is the *only* account that they _can_ run under..
But others, especially third party drivers/services you can *select* the account that they run under.. This is a *real* good idea, as you can create an single, or group account, give it the *bare* minimum privileges it needs to do the job, then assign this via the "services" icon in the control panel.. Doing this will help isolate the system from potential security "holes" in a service..  If a service doesn't have permission to commit "sins", it won't..

8: ->Don't use fat<- on your NT system hard drive.. Use NTFS.. But, you  whine, I want to run Win95/98 so I can play the newest, kewl game that just came out..
I want a dual boot system, you complain..

     ->Fine<-..

Get another hard drive and use two drives.. NTFS *greatly* increases  security _IF_ you take the time to properly set permissions.. With NTFS, losers have to get past two layers of security.. Plus you can audit (log) access to anything,: anytime.. Great options for us suspicions types..

O.K.. Lets cut the chase.. You say "I don't want to use NT or linux"..

"I don't *like* having to worry about all the programs I run".. Is there another solution?? Well, lucky you asked that question, because there is, indeed, another option..

      ->A Firewall<-..

A firewall is a simple, cheap computer we setup to do all of our Internet connections through.. We can let this computer do the security stuff, while we work on a relatively "open" box.. With incredibly cheap hardware available to us, this solution is a very cost effective way of protecting ourselves from fools.. Plus, we can have multiple computers use the same Internet connection: simultaneously..
For this scheme we need only some cheap networking hardware and, if NT is chosen as the firewall's OS, we'll need some sort of IP forwarding or "proxy" software.. If linux is chosen, everything you need is included with the OS..
*DO NOT* chose win95/98 for this firewall.. The inability to log transactions alone, is reason enough NOT to select the OS.. Besides, linux is free..:
Good firewall setup is straight forward.. Install _ONLY_ the bare minimum amount of software necessary to do the job.. Just the OS and the proxy.. Don't install, or run, application software on this machine..  Follow all the steps above pertaining to accounts, services, bindings, etc.. Strange enough, with all the problems Hughes has had with the private, LAN IP's, these LAN IP's have an advantage when used on a private network..  They are inaccessible from the outside.. Nobody from the outside can route an IP packet to such an address.. On a private LAN, only the firewall box can receive outside traffic.. (It can forward packets, of course, to boxes on the inside ->at your discretion, and under your control<-)..

      Finally a note about proxys/relay agents/etc.. I use wingate, but I'm sure others products have similar settings.. On wingate make _sure_that you set the bindings (the network card that wingate will accept connections on) to the LAN network card *ONLY*.. DO NOT let it take connections from elsewhere.. Specifically: your dialups or direcpc card.. You may also consider making your default policy "Must Authenticate".. I run the gatekeeper program as a matter of habit every time I'm on the 'net' anyway, just to monitor.. : Microsoft's proxy server has similar features to allow or disallow connections from an IP, or Block of IP's..

     May I share a short story with you??
AT&T had (and may still have) a popular IRC server..  Unfortunately, for non AT&T customers, they had it behind their firewall and only AT&T subscribers could use it.. I dislike IRC (I need to "chat" like I need Lou Gehrig's disease) but *many* people _do_ use it.. Shortly after setting up my first home firewall, I was checking my  logs and found that some lowlife had used my box to "spoof" his address so he could use AT&T's IRC channel.. The term "spoof" means "To make it appear that: he is coming from my IP address".. Wingate accepted his proxy request via the dialup modem, and sent it back out the same modem to the AT&T IRC server..   He didn't compromise my box in any way, but it was annoying.. This issue could also be quite troublesome.. Imagine if this fool was trying to break into military, or company computers via _MY_ IP.. Law enforcement would be pounding _my_ door down, not his.. You may now see why logging is such an *important* feature.. Without it, I would have never known..   The way this was done, by the way, was the guy simply started scanning blocks of AT&T modem IP's checking to see if someone responded, and if so, do they offer services??

This brings us to our next subject.. Legalities..
Contrary to some opinions here, I don't believe it is illegal for someone to "scan" your computer from the "outside"..    Why?? : Consider:
The Internet is a _public_ network.. As is your telephone network.. It is not illegal for *anybody* to call your telephone number and, if you answer, it is not illegal for them to ask you a question.. (Do you offer proxy services?? Will you accept a telnet connection?? Do you offer FTP services?? etc..)  All of you have done a web search(s) on your favorite search engine: (Alta Vista is mine) and, probably, been amazed at what you have found..
I have found pirate websites, FTP sites, etc, etc, by using the right search phrase.. Well, *guess* how these search engines come up with this info?? That's right, they _scan_ IP's.. If a box accepts a web (port 80) request they do a "web crawler" and leach *everything* there or, at least, the files with an htm or html extension..   Have you ever noticed all the legalese when you go to certain places??
In many company unix boxes, the MOTD (message of the day) specifically states that unauthorized access is forbidden.. This message is _required_ and, in most cases, written by Lawyers.. Without it, a loser could claim, in court, that he had no knowledge that it was forbidden to "play" with the box, and he would win.. After all, it _is_ a public network and the box, in some shape or form, allowed access.. In other words, it's a "free for all".. If you can't secure it, someone else may well take it.. Something to think about..

Finally, third party security software.. Quite frankly I don't run any.. A lot of security people don't either..  They prefer to use/write their own.. Or, at the very least, want the source code for examination.. (Companies are unwilling, for the most part, to supply the source code).. The security people want to know: "can we trust the sentry", or "who is watching the watchman"?? Buggy security code can be *much* worse than  none at all..

We are not protecting atomic secrets, so, some third party code could be useful.. Like others here, I have looked at the "BlackIce" program, and liked it, even though I'm not currently using it.. Whether it has any "backdoors", is unknown.. There are also *many* other programs written specifically for this purpose.. If you are interested in such product(s),  : I will leave it to you as an exercise to "check it out"..

There are also newsgroups for this subject such as alt.computer.security, and others, for people wanting more info..

Feedback is welcome, and warmest Regards..

P.S. If you have questions, get off your can and do some research <g>..


PgpID 0x2FADE8A5
Key lookup
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x2FADE8A5