Fake Out

A controlled security challenge still provides valuable lessons.

• By Dian Schaffhauser
• 09/01/2002

The timing is superb, because she and Senior Editor Keith Ward have just wrapped up the MCP TechMentor Summit on Security. No doubt, if you get on our Web site or receive our newsletters, you’ve read something about the Windows Security Challenge. A team of experts spent the day hardening a “typical” network using Microsoft security guidelines, which included a Windows 2000 server, Exchange server, SQL Server, IIS and ISA Server. Then they invited the world to crack into it.

As Keith wrote in his online wrap-up story, “After 31 hours and 40,000 attacks, the Windows 2000 network set up and hardened...remained uncompromised.”

Naturally, it was rigged. They called on some of the biggest names in Windows security to effect the hardening—people who aren’t ordinary sys admins and could really concentrate on the job at hand. Hackers had only 36 hours to crack in—hardly enough time to show real creativity with their efforts. The system had no end-users, which eliminated a major set of vulnerabilities. Attendees were discouraged from launching denial-of-service attacks, as it would have stopped the game for everybody. And those of us on site were barred from physically touching the network and, say, walking off with a server.

So doesn’t that make the Challenge merely a meaningless exercise in control freak behavior? Actually, even under those parameters, the endeavor showed its weaknesses.

First, the first security guard hired to watch over the network kept falling asleep. Second, in his exhaustion, one of the hardening experts left a floppy disk with some passwords on it in one of the drives. Third, an insider decided to gain physical access to the network in violation of the stated rules. Security consultant Mark Burnett filled the new security guard full of soda, waited until he had to go to the bathroom, and changed the username and password for the administrator account on a server. Truly cunning behavior.

Steve Riley, a Microsoft security expert who configured security for the Exchange server, said the attack should serve as a warning to companies. “The people with the broadest and most thorough access to your company are the lowest-level employees, the security guards and janitors. It’s something you’re going to have to think about.”

Even if you do consider the Challenge a fake structure, its artificiality might be worth emulating. Nothing prevents you from organizing a team of company experts to harden your Windows network. Concentrate on the job for a day or a week—however long it takes. Impose restrictions to reduce internal weaknesses. Figure out stronger separations between the users and servers. Address the basics, which will take care of most of the security problems your network will face.

I’d enjoy hearing how your company approaches the challenge of security. I’m at [email protected].