Security Watch

Digging Deep

Build effective security moats with a defense-in-depth strategy.

• By Roberta Bragg
• 05/03/2004

It's easy to get trapped in the cycle of vulnerability announcements, patch announcements and patching processes. It can sap your energy, keep you from looking at the big picture, and prevent you from building defenses to deal with problems as yet unannounced. It can be especially frustrating when you run into machines that can't be patched because of some underlying application incompatibility with the changes made by a patch. But you do it because you have to, and by now, I hope you've applied defensive measures to prevent compromise due to recent worms.

Once all that's done, though, what then?

The answer is defense-in-depth. Let's look at the current port 443 and port 445 attacks, many of which are new worms in response to the PCT and LSASS vulnerabilities in MS 04-011. What benefits would a defense-in-depth strategy have? Let's examine the layers that should be in place.

• Network perimeter: If you're blocking access to these ports from the Internet, you're not vulnerable to worms propagated and present on the Internet. (If an infection already exists on your network, or is brought in through another vector, this doesn't hold.)
• Application layer: Your first defense here, of course, is patch application. However, defense-in-depth requires other steps. There are specific updates for anti-virus products that can defend against known worms, but to ensure you're protected, and to block new worms or manual attacks, you can do more.

If you're restricting or disabling anonymous access, the current worms, according to security researcher Thor Larholm and others, can't take advantage of the LSASS vulnerability. Restricting anonymous access has been a standard precaution since Windows NT 4.0, Service Pack 3. I suspect many of you are blocking port 445 (which the worms are targeting) at your perimeters, but the attacks on PCT, which use port 443, can't be as easily defended against. Port 443 is also used for SSL; therefore, every Windows server using SSL to protect communications and authenticate servers may be vulnerable, and you can't simply block access to that port. You can, however, ensure that port 443 is only open to Internet access from those machines requiring it. Secondly, the vulnerability here is with PCT, a secure channel protocol that, like SSL, uses port 443. This protocol can be safely disabled without impacting the use of SSL. The Registry entry is listed in Microsoft Knowledge Base article 187498, "Disable PCT 1.0, SSL 2.0, or SSL 3.0 on IIS".

• Host layer: Some of the application-layer defenses covered above are known host-hardening configuration steps. Other steps include disabling unnecessary services like telnet and TFTP -- two favorite protocols used in remote access attacks and for downloading malicious code. As an added layer of protection, use IPSec blocking policies to block both incoming and outgoing use of ports commonly used in attacks. Even if the service has been disabled, an attack might be able to take advantage of a vulnerability to enable the service, or install its own service. Blocking outgoing communications not part of a host's normal, required activity can prevent that type of runaround.
• Wetware: Wetware includes all the biological aspects of your network, like clueless users and harried administrators. You should insist on security awareness training for all users and continue your awareness training by keeping in touch with security lists, newsletters and other communications. One source you should subscribe to is Lartholm's "unpatched," www.pivx.com. It's not a weekly tirade; just some good, timely advice when there's something to say.