Infrastructure and Data Security Analysis: July 2003
 
alienconcepts incorporated
 
         
Client Information Mobiltrak - Chandler  Arizona
Contact Ed Rickerson VP Operations
Date Report - 8/1/2003   Test Date 7/21/2003-7/24/2003
Performed By Paul F Bergetz (President Alienconcepts Incorporated)
Phone 708-686-7285  Email  audigo@alienc.com
Purpose
1-Establish current condition of infrastructure and data security.
2-Make recommendations based on findings.
Location/Date/Time
The tests were performed at Mobiltrak in Chandler AZ from July 21 through July 24 2003. Follow-up
work and analysis of findings was performed offsite.

Verification and additional data was found via Terminal Services network connection from office in Mount Prospect.
Data Collection
Day1-Test setup included a Sony GRX series portable with 1gb ram 1600x1200 res and 2 network cards.
Upon arrival at site I setup the portable outside Mobiltrak workgroups and domain behind the firewall .
A mirrored connection was made to monitor all trafic going in and out of router behind firewall using etrust 2.05 data was collected for 25 working hours.
Ran bandwidth tests . During the test period of 10 mins at  5:00PM the bandwidth available was .9(Mbps) out of a maximum of 1.54(Mbps). Measured between firewall and ISP .

Day2 -Begin discovery of network resources by creating a
NMS version 2.1 netmap. This
map was run continuously during 3 day period to verify any ommissions for systems not online.
I then ran the discovery process again using What's UP Gold and Hyena. The results obtained
from Hyena are the basis for the bulk of the data in this analysis workbook.

The IDS (Intrusion Dectection System) was also run at the same time logging ALL protocol activity
through the Firewall. The total amount of activity logged was 317 hours encompassing 1.3gb of
data in a 16.6 hour period.
IDS summary. These numbers (317 hours in 16.6 hours) may seem strange
however, it should be pointed out that ALL users go through the firewall which means that ALL users
times are accumulated. Also we should note that it may seem incorrect when you see a user with more
hours than the logging period however, remember that a user could have multiple windows open and
refreshing.

Day3 -Review operation of current infrastructure. Run Hyena to collect all data available with reference
to users, machines, services and drive structures.

Day4 -Collect data regarding all
WAN connections and devices. Review previous days work and video tape server area.

Click on the link at left to display a passive network layout of Mobiltrak Infrastructure. An active version is also available if needed.


 


Ran bandwidth tests
NMS version 2.1 netmap
IDS summary
WAN connections/devices
Passive Network Layout
Issues / Corrections
After collecting, formatting and analyzing the data the following issues were found. Recommended corrections are listed below the issue (in italic). Clicking on the hyperlink will redirect to the dataset referenced.

issue01
864 user accounts on a PDC domain controller with only 30+ employees and 80 + clients is a real risk considering there is no backup domain controller let alone the security risk of letting outsiders inside your network.
-
If clients need access to company resources from outside the organization this should be via MS Terminal Services or a web interface maintained on servers OUTSIDE the internal network (DMZ in front of firewall or outsourced to ISP). This leaves company data on servers not prone to corruption or access by unauthorized personal. Replication of critical data could then be handled between "external" and "internal" servers on regular basis. If failure occurs you can roll back to last replication. Only Mobiltrak employees should be listed in the internal domain.

issue02
Try to eliminate printservers unless you have very high capacity printing needs (or special printers which require print servers)
-Printservers are useful however, they are just another system that needs support. Using a JetDirect
print server minimizes support and allows printing if servers are down.


issue 03
There are too many people on network with administrator rights
-Minimize who has administrative access, two accounts are a must. Each of these people should have a
through understanding of the others responsibilities in case one party is not available.

issue04
There are to many groups defined in this infrastructure.
-Minimize the number of groups. Just like users and shares the more you have the more can go wrong. These are all security risks as well as support liabilities.

issue05
Disable "guest" account on all systems
-The default install procedure for NT4 and W2K enables this account. Turn it off on all systems. Use the "Internet Guest Account" (IUSR_ and IWAM_)for web access (recreate this account after install for security)

issue06 - CRITICAL
There is no backup domain controller listed. This could result in loss of user login accounts and the security database.
- I suggest one of the W2K DNS servers be promoted to domain controller using the other DNS as backup. At the time this is done the user database can be edited to contain only required users and eliminate the 700+ extra names. The extra names could be read into a "external" client database which could be used as basis for the "external" server/s. The current PDC could be recycled to this task after the new domain controllers are on line.

issue07
The mobiltrak legacy field systems present a security risk .
-There are four plus W2K and NT systems out in the field being used as RAS servers to transfer data from the "EMU" sites to "mobserv03" in Chandler, AZ. These could be a security risk should someone find them and install KVM resources . The potential does exist for a possible unauthorized connect via these systems make sure that these are not part of domain and that there is no login/password combination that exist on local/domain system with any rights that could cause a problem.



issue08
The computer browser service is running on numerous systems. It should only be running on one server with a second server as a backup
-Having to many browsers on a network can play havoc with netbios name service causing in ability to login to resources. Set all computer browser services to manual except for two systems that are on line 24x7. After this change is made reboot everything. You should check for running browsers in your monthly maintenance checklist.

issue09
The auto update service is running on numerous systems.
-Auto update is the "Pandora" of Microsoft features. For all the good auto update is suppose to do a large amount of problems are caused by this feature. Make sure it is off on every system. Apply updates via login script only as needed and after testing.

issue10 - CRITICAL
There appears to be over 400gb of MT data scattered around the various servers without a backup or disaster recovery plan. See the DataLocations worksheet in this workbook for details.
-There is no data backup or disaster recovery plan in place at MT. This needs to be corrected ASAP. All critical data sources need to be backed up at least once daily onsite and once weekly or (use yesterday's tape) offsite. Several of the users are backing up data to local systems or taking it home on CD/DVD  this is fine however , none of this is documented. Expand upon the DataLocation worksheet to keep track of this serious problem. MT is a "data" company without easily accessed backups of "data" your main asset.

issue11 - CRITICAL
All of the servers have there boot drives setup to hold the OS , programs, pagefile, temp files and DATA on the same partition . This is a very dangerous scenario.
-Good practice dictates not allowing DATA on boot drives the same applies for temp files and the pagefile all of which should be re-directed to other volumes/partitons . The only files that should be on the boot drives are the OS ,program related files and configurations. (a small 20 mb pagefile is a good idea on the boot volume if restarts are needed without other drives connected)

issue12 - CRITICAL
None of the servers have been imaged. This could result in network services downtime
equal to the time it takes to bring the failed system back on line.
- Boot volumes should have a current "image" of there contents ready for fast recovery in event of a failure (usually less then 30mins downtime). Boot volumes should be re-imaged every time system or applications changes are made and tested. The image should be stored on a 2nd drive in the system using a FAT32 partition. This allows easy access and recovery in case of a failure. A alternate method would be to have 2 boot drives and follow the above procedures and "image" the entire drive to the second drive and then take it offline. The same procedures should be applied to workstations and portable systems.( a master image can be made to cover various models)

issue13 CRITICAL
There is no enforcement of password aging on any account. As a result the majority  user accounts have not changed there passwords for years if at all.
-Passwords MUST be changed regularly preferably at 6 month intervals . This is another reason for not having more accounts than needed (increased support liability) All passwords should be stored in a fireproof vault with access only allowed by the administrators.




issue14
There appear to be a large number of shares for such a small network . This creates a lot of extra housekeeping.
-Minimize the number of shares Just like users and groups the more you have the more can go wrong. These are all security risks as well as support liabilities.

issue15
There is no record of the "raid drives" being replaced regularly
-Hard drives are the number one cause of failure in servers. Having a "raid" does not protect you from this
in fact it is the opposite the more drives in a raid the shorter the life cycle. A good practice is replace ALL
raid drives every 2 years. Do not recycle used raid drives into other servers. Use them for testing or get rid of them.


issue16
Telnet and Finger are running on the Cisco 2600. This allows passing of password information in clear text. This was confirmed form 2 outside locations with attempted login.
-Remove telnet from the "external" access list and make sure it is only in the "internal" list. When router changes are needed (from the outside) log in to a secured server using terminal services and run "Secure Shell" or "Putty" to telnet into the router from the inside network. This eliminates security risks. Finger can be disabled with the above scenario. (it is used to view logged in user information)

issue17
There are outside workgroups attached to the MT network via VPN
-Three workgroups are continuously attached to the Mobiltrak domain:
Onyx 
  Onyxserver 10.10.7.5 (Chris Lawcrofts)
Gilbertgroup  (Brandon Harris) 
   2 systems LDHMOFC  10.10.8.5
Mshome (unknown)
   Techduceduce 10.10.10.19
This can be a security risk if a login is left open on workgroup end and an unauthorized user happens to
gain access to the system. If there is no data moving back and forth there is no need to be connected . At worst set the systems on the workgroup end to autolog off after a certain interval of time with no activity this way an active login window will not be available with password authentication).


issue18
Poor use of power backup resources
-I found a large array of 8x3kw Symmetric power backup units connected to the PDC and several switches. This seems very wasteful since the PDC contains login info and old data. An inventory of all backup power devices with there capacities should be made and cross referenced to the level of uptime needed for various services. Once completed re-distribute the backup units based on most critical to MT operation. Being that your primary asset is your data I would think the central collection point for this is what should be listed first as well as any support infrastructure for same.

issue19
I found a redundant WAN service provider ( however, it appears to be the same as primary) .
-Make sure that there redundant service is off of another providers primary backbone (or can be
guaranteed to switch over in event of primary ISP failure).


issue20
Some of the servers do not have dual power supplies
-The second most prominent cause of failure is power supplies. If a server is critical to company operation and cannot be downed for the maintenance window required to change power supply you need a dual power system.




issue01
issue02
issue03
issue04
issue05
issue06
issue07
issue08
issue09
issue10
DataLocation worksheet
issue11
issue12
issue13
issue14
issue15
issue16
Summary