Infrastructure
and Data Security Analysis: July 2003 |
|
alienconcepts incorporated
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Client Information |
Mobiltrak - Chandler
Arizona |
|
Contact |
Ed Rickerson VP Operations |
|
Date |
Report - 8/1/2003
Test Date 7/21/2003-7/24/2003 |
|
Performed By |
Paul F Bergetz (President Alienconcepts Incorporated) |
|
|
Phone 708-686-7285
Email audigo@alienc.com |
|
|
|
|
|
|
Purpose |
1-Establish current condition of
infrastructure and data security.
2-Make recommendations based on findings.
|
|
|
|
|
|
|
|
|
Location/Date/Time |
The tests were performed at Mobiltrak in
Chandler AZ from July 21 through July 24 2003. Follow-up
work and analysis of findings was performed offsite.
Verification and additional data was found via Terminal Services network connection
from office in Mount Prospect.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Data Collection |
Day1-Test setup included a
Sony GRX series portable with 1gb ram 1600x1200 res and 2 network
cards.
Upon arrival at site I setup the portable outside Mobiltrak workgroups and
domain behind the firewall .
A mirrored connection was made to
monitor all trafic going in and out of router behind firewall using etrust
2.05 data was collected for 25 working hours. Ran
bandwidth tests . During the test period of 10
mins at 5:00PM the bandwidth
available was .9(Mbps) out of a maximum of 1.54(Mbps). Measured between
firewall and ISP .
Day2 -Begin discovery of network resources by creating
a NMS version 2.1 netmap. This
map was run continuously during 3 day period to verify any ommissions for
systems not online.
I then ran the discovery process again using What's UP Gold and Hyena. The
results obtained
from Hyena are the basis for the bulk of the data
in this analysis workbook.
The IDS (Intrusion Dectection System) was also run at the same time
logging ALL protocol activity
through the Firewall. The total amount of activity logged was 317 hours
encompassing 1.3gb of
data in a 16.6 hour period. IDS summary. These numbers (317
hours in 16.6 hours) may seem strange
however, it should be pointed out that ALL users go through the firewall
which means that ALL users
times are accumulated. Also we should note that it may seem incorrect when
you see a user with more
hours than the logging period however, remember that a user could have
multiple windows open and
refreshing.
Day3 -Review operation of current infrastructure. Run Hyena to collect all
data available with reference
to users, machines, services and drive structures.
Day4 -Collect data regarding all WAN connections and devices. Review
previous days work and video tape server area.
Click on the link at left to
display a passive network layout of Mobiltrak Infrastructure. An active version is also
available if needed.
|
|
|
|
|
|
|
|
|
Ran bandwidth tests |
|
|
|
|
|
|
|
|
NMS version 2.1 netmap |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IDS summary |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WAN connections/devices |
|
|
|
|
|
|
|
|
Passive
Network Layout |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Issues / Corrections |
After collecting, formatting and
analyzing the data the following issues were found. Recommended corrections
are listed below the issue (in italic). Clicking on the hyperlink will
redirect to the dataset referenced.
issue01
864 user accounts
on a PDC domain controller with only 30+ employees and 80 + clients is a
real risk considering there is no backup domain controller let alone the
security risk of letting outsiders inside your network.
- If clients need access to company resources from outside the
organization this should be via MS Terminal Services or a web interface
maintained on servers OUTSIDE the internal network (DMZ in front of
firewall or outsourced to ISP). This leaves company data on servers not
prone to corruption or access by unauthorized personal. Replication of
critical data could then be handled between "external" and
"internal" servers on regular basis. If failure occurs you can
roll back to last replication. Only Mobiltrak employees should be listed in
the internal domain.
issue02
Try to eliminate
printservers unless you have very high capacity printing needs (or special
printers which require print servers)
-Printservers
are useful however, they are just another system that needs support. Using
a JetDirect
print server minimizes support and allows printing if servers are down.
issue 03
There are too many people on network with administrator rights
-Minimize who has
administrative access, two accounts are a must. Each of these people should
have a
through understanding of the others responsibilities in case one party is
not available.
issue04
There are to many groups defined in this infrastructure.
-Minimize the number of groups. Just like users and shares the
more you have the more can go wrong. These are all security risks as well
as support liabilities.
issue05
Disable "guest" account on all systems
-The default install procedure for NT4 and W2K enables this
account. Turn it off on all systems. Use the "Internet Guest
Account" (IUSR_ and IWAM_)for web access (recreate this account after
install for security)
issue06 - CRITICAL
There is no backup domain controller listed. This could result in loss of
user login accounts and the security database.
- I suggest one of the W2K DNS servers be promoted to domain
controller using the other DNS as backup. At the time this is done the user
database can be edited to contain only required users and eliminate the
700+ extra names. The extra names could be read into a "external"
client database which could be used as basis for the "external"
server/s. The current PDC could be recycled to this task after the new
domain controllers are on line.
issue07
The mobiltrak legacy field systems present a security risk .
-There are four plus W2K and NT systems out in the field being
used as RAS servers to transfer data from the "EMU" sites to
"mobserv03" in Chandler, AZ. These could be a security risk
should someone find them and install KVM resources . The potential does
exist for a possible unauthorized connect via these systems make sure that
these are not part of domain and that there is no login/password
combination that exist on local/domain system with any rights that could
cause a problem.
issue08
The computer browser service is running on numerous systems. It should
only be running on one server with a second server as a backup
-Having to many browsers on a network can play havoc with
netbios name service causing in ability to login to resources. Set all
computer browser services to manual except for two systems that are on line
24x7. After this change is made reboot everything. You should check for
running browsers in your monthly maintenance checklist.
issue09
The auto update service is running on numerous systems.
-Auto update is the "Pandora" of Microsoft features.
For all the good auto update is suppose to do a large amount of problems
are caused by this feature. Make sure it is off on every system. Apply
updates via login script only as needed and after testing.
issue10 - CRITICAL
There appears to be over 400gb of MT data scattered around the various
servers without a backup or disaster recovery plan. See the DataLocations
worksheet in this workbook for details.
-There
is no data backup or disaster recovery plan in place at MT. This needs to
be corrected ASAP. All critical data sources need to be backed up at least
once daily onsite and once weekly or (use yesterday's tape) offsite.
Several of the users are backing up data to local systems or taking it home
on CD/DVD this is fine however ,
none of this is documented. Expand upon the DataLocation
worksheet to keep track of this serious problem.
MT is a "data" company without easily accessed backups of
"data" your main asset.
issue11 - CRITICAL
All of the servers have there boot drives setup to hold the OS , programs,
pagefile, temp files and DATA on the same partition . This is a very
dangerous scenario.
-Good practice
dictates not allowing DATA on boot drives the same applies for temp files
and the pagefile all of which should be re-directed to other
volumes/partitons . The only files that should be on the boot drives are
the OS ,program related files and configurations. (a small 20 mb pagefile
is a good idea on the boot volume if restarts are needed without other
drives connected)
issue12 - CRITICAL
None of the servers have been imaged. This could result in network
services downtime
equal to the time it takes to bring the failed system back on line.
- Boot volumes should have a current "image" of there
contents ready for fast recovery in event of a failure (usually less then
30mins downtime). Boot volumes should be re-imaged every time system or
applications changes are made and tested. The image should be stored on a
2nd drive in the system using a FAT32 partition. This allows easy access
and recovery in case of a failure. A alternate method would be to have 2
boot drives and follow the above procedures and "image" the
entire drive to the second drive and then take it offline. The same
procedures should be applied to workstations and portable systems.( a
master image can be made to cover various models)
issue13 CRITICAL
There is no enforcement of password aging on any account. As a result the
majority user accounts have not
changed there passwords for years if at all.
-Passwords MUST be changed regularly preferably at 6 month
intervals . This is another reason for not having more accounts than needed
(increased support liability) All passwords should be stored in a fireproof
vault with access only allowed by the administrators.
issue14
There appear to be a large number of shares for such a small network .
This creates a lot of extra housekeeping.
-Minimize the number of shares Just like users and groups the
more you have the more can go wrong. These are all security risks as well
as support liabilities.
issue15
There is no record of the "raid drives" being replaced
regularly
-Hard drives are the number one
cause of failure in servers. Having a "raid" does not protect you
from this
in fact it is the opposite the more drives in a raid the shorter the life
cycle. A good practice is replace ALL
raid drives every 2 years.
Do not recycle used raid drives into other servers. Use them for testing or
get rid of them.
issue16
Telnet and Finger are running on the Cisco 2600. This allows passing of
password information in clear text. This was confirmed form 2 outside
locations with attempted login.
-Remove
telnet from the "external" access list and make sure it is only
in the "internal" list. When router changes are needed (from the
outside) log in to a secured server using terminal services and run
"Secure Shell" or "Putty" to telnet into the router
from the inside network. This eliminates security risks. Finger can be
disabled with the above scenario. (it is used to view logged in user
information)
issue17
There are outside workgroups attached to the MT network via VPN
-Three workgroups are continuously attached to the Mobiltrak
domain:
Onyx
Onyxserver 10.10.7.5 (Chris
Lawcrofts)
Gilbertgroup
(Brandon Harris)
2 systems LDHMOFC 10.10.8.5
Mshome (unknown)
Techduceduce 10.10.10.19
This can be a security risk if a login is left open on workgroup end and
an unauthorized user happens to
gain access to the system. If there is no data moving back and forth
there is no need to be connected . At worst set the systems on the
workgroup end to autolog off after a certain interval of time with no
activity this way an active login window will not be available with
password authentication).
issue18
Poor use of power backup resources
-I found a large array of 8x3kw Symmetric power backup units
connected to the PDC and several switches. This seems very wasteful since
the PDC contains login info and old data. An inventory of all backup power
devices with there capacities should be made and cross referenced to the
level of uptime needed for various services. Once completed re-distribute
the backup units based on most critical to MT operation. Being that your
primary asset is your data I would think the central collection point for
this is what should be listed first as well as any support infrastructure
for same.
issue19
I found a redundant WAN service provider ( however, it appears to be the
same as primary) .
-Make sure that there
redundant service is off of another providers primary backbone (or can
be
guaranteed to switch over in event of primary ISP failure).
issue20
Some of the servers do not have dual power supplies
-The second most prominent cause of failure is power supplies.
If a server is critical to company operation and cannot be downed for the
maintenance window required to change power supply you need a dual power
system.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
issue01 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
issue02 |
|
|
|
|
|
|
|
|
|
|
|
|
|
issue03 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
issue05 |
|
|
|
|
|
|
|
|
|
|
|
|
|
issue06 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
issue07 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
issue08 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
issue09 |
|
|
|
|
|
|
|
|
|
|
|
|
issue10 |
|
|
|
|
|
|
|
|
DataLocation worksheet |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
issue11 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
issue12 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
issue13 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
issue14 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
issue15 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
issue16 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Summary |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|