Windows Security Challenge Network Holding Strong—So Far
When you invite the world to try to hack into your Microsoft network, what's the major security challenge you face? In the case of MCP TechMentor's Windows Security Challenge, it might be the security
- By Dian Schaffhauser
Imagine you've set up a network with Windows
2000 servers and desktops, XP desktops, Exchange, IIS, SQL Server, and
ISA Server. You've followed the security guidelines set down by Microsoft,
and you've applied service packs and patches that have surfaced since
those products were released. Then you invite the world to try to hack
into the network. What's the major security challenge you face?
In the case of MCP TechMentor's Windows Security Challenge, it's probably
the fact that the security guard protecting the room where the servers
are physically located keeps falling asleep.
One speaker said he was tempted to walk into the room and unplug something
in order to bring the Web site down.
On day one, attendees heard the highlights of the network hardening effort,
as explained by the team that did the work, including Microsoft security
consultant Steve Riley, SQL Server consultant Ted Malone, IIS expert Brett
Hill, firewall expert Joern Wettern and Active Directory consultant Laura
Robinson, and led by MCP Magazine Contributing Editor Roberta Bragg.
A diagram of the network is available at http://www.techmentorsummit.com/ seattle/overview.asp#.
The presentations highlighted the same best practices outlined in Microsoft's
Security Operations Guide, available online at http://www.microsoft.com/technet/ treeview/default.asp?url=/technet/security/prodtech/ windows/windows2000/staysecure/.
The three-day event is hosted by 101communications and MCP Magazine.
By 6 p.m. on Wednesday the network, the network was activated and hosting
a Web site at http://www.windowssecuritychallenge.com.
The Web page shows a simple guest book application. The information filled
in by visitors poses a sort of enticement to hackers, who try to access
the SQL Server holding the data.
"We're seeing a tremendous amount of attacks but there's nothing really
original... It's a lot of script kiddies," said Mark Burnett, an Internet
security consultant and author, who installed Snort to log activity for
the project. "I haven't seen anything really serious. It goes to show
just how effective the basic steps can be."
Malone, the SQL expert on the team, said visitors have tried to break
into the SQL application.
"Then they tried to get into IIS. Thousands and thousands of exploits.
Gave that up pretty quickly." He said the team has seen a lot of SQL injection-oriented
errors, in which hackers attempt to exploit an aspect of SQL by tricking
the application into running commands entered through data fields. Malone
showed in his session how to prevent SQL injection problems; the fix:
changing single apostrophes in the SQL code to dual apostrophes.
The question the challenge is attempting to answer, said Bragg, program
chair for the event, was, "Can a small business protect against the threats
that are out there?" Her conclusion: "It is not that hard. It takes time.
It takes commitment."
But there's a bigger issue at stake, she said. "It's not about securing
your world; it's about securing the world." That, she said, requires
a different mindset.
The network will remain live until the end of Thursday.
Dian L. Schaffhauser is a freelance writer based in Northern California.