someone's trying to break in 1

[wvgirl64]

I am seeing numerous failed attempts by someone logging on as administrator (or various versions of the word) from various domains on a couple of our Citrix servers.
Is this someone trying to get in through Nfuse? We are operating with Citrix Secure Gateway. What can I do about this?

 

[rmunizus]

You've got a huge problem on your hands there. First thing you have to udnerstand is that there isn't a system in the world that can't be hacked. BUT, there is a whole lot of sthings you can do to keep them out, and not allow it it to be too easy. I faced something simaler to your problems when I first took over at the company I'm with, not the least of which was there was no system security. Here's what I did to start solving it.

1: First, impliment NAT. This was kind of a stop gap measure for me, but it goes a long ways to solving the problem (you can't hit what you can't see). You might need a couple of external Ip addresses, and a router that can NAT (I'm assuming you have DSL or T1). Also, routers have some holes as well. You might want to turn off certain features (such as allowing someone from the outside to telnet into or beyond the router).

2: A firewall. Firewalls are expensive, and many depend on how many Servers/Workstations you're securing. Sonicwall makes a descent firewall for the money. Also, Check Point is good, and fairly cost effective. They also offer their software with a 30 day trial. It runs on Windows NT/2000 (never tried it on XP or 2003). It takes about an afternoons worth of work to get it installed and going. The beauty with a firewall is it lets you close ports easily, and allow just those ports in that you want in (or out). If you can't purchase a firewall, a good public source program is SNORT. it now runs in Windows. It's pretty good, though a pain to configure. I used it in conjuction with a program called IDScenter. If it hadn't been for the later, I'd never have gotten it running. Now SNORT is an Intrusion Detection System, and it doesn't really combat intruders, though it will log attempts. It also won't let you limit ports and such, but it is open source which means that there's almost certainly someone out there that has figured out a way to do jsut that, or is working on it.

3: Rename your Administrator account. This is an overlooked security item. Most hackers will go after the Administrator account. The idea here is to make something else the Administrator, and turn Administrator into a paper tiger with no real power (except maybe to be redirected to a honeypot).

4: Patches and service packs, the quickest and easiest way to fix problems. Stay current on them. An example of where administrators dropped the ball is the Code Red Virus. This was a known vulnerability, and the patch was out long before the virus hit. If you had the patch, you didn't have a problem.

5: Enforce passwords. Change passwords every 90 days or less. Windows server will let you set your passwords so they expire in X amount of time, have a minimum length, and even not allow them to use the same password X amount of times. One word of caution here. If you have any services on your system that require a password to run (Veritas Back up Exec as an example), you can hose that real easy by changing the password it runs under. also, educating your users helps. Make sure they don't do cute things like leave passwords laying around, or use passwords that aren't to easy to guess (initials plus DOB is the classic).

6: Permissions. Tighten them down. If Accounting doesn't need to have HR access, or vice versa, make sure they don't have permission to access each others stuff. Also, turn off services that don't need to be running.

7: Read constantly. Microsoft has some great stuff on system security. Perhaps the best site for learning security is

http://www.cert.org.

Security is a constantly changing field, and you have to stay on top of it. A book I highly recommend is Hacking Exposed. It will do a very good job of scaring the hell out of you, plus give you some tips and fixes. Get the latest edition. Another real good book for securing your ssytem is O'Reilly's Securing Windows NT/2000 servers for the Internet. It tells you in plain english how to really tighten them down, though in my opinion, you need to keep good notes of what you did. it's pretty easy to go turn something off that the book says to turn off, only to find out that you needed it to run some application (like payroll software).

8: Get an outside appraisal. After you've finished the basics, contract with a computer security company to do a security audit. This will tell you which holes you've missed, and etc.. We do security audits quarterly. A lot of this depends on how much you want to spend. Also, the guys who do the security audits are good for telling you how to improve things (do be careful, a lot of them just like selling hardware, so I'd get with a local user group and find out who's good in your area).

9: With Citrix, unless whoever has citrix client on their machine, there's a very good chance all they'll see is keystrokes, but still, that's no reason to ignore the basics.

10: Keep good backups. When all else fails, you'll need them.

Hope this helps. One last thing. Get a security policy in place and stick to it. To make this happen, you have to have buy in from the powers that be, so rope them in from the beginning. It will also help in the purchase of equipment and such. part of this is an education process. Most users think if they have a password, they are secure. Part of what we used to get our CEO to see things our way was to put it into dollars and sense (if we loose these servers, it may take this long to get them back up, which emans you have people getting paid, to do nothing. Over that course of time, you've lost this much money, not to mention damage that has been done to our data, reputation, etc.). I worked for FEMA before running sytems, and an old adage I rember is that in times of disaster 97% of all business will never reopen their doors. A collary to this is the longer it takes you to reopen your busienss, the less likely you will. This applies to ssytem recovery as well.

Rich

 

[JeffHicks]

Very nice and thorough post by Rich. I work for a LARGE state government agency that does not have a firewall (talk about security issues). I just wanted to add that the fact that you are seeing FAILURES is actually good. It means your administrator password is strong enough that it has not been hacked. Before Rich's post makes you panic, as long as you continue to see failures, you are OK.

The immediate security fixes you need to apply are: 1) renaming your administrator as suggested, 2)change the password to a 14 character (if NT) or 15 character (if Win2K) strong (i.e. use lower and upper case, numbers, and characters) password, and 3) implement a security policy that restricts anonymous access to your server. Step 3 is critical. Without it, a hacker can enumerate your users and see what user accounts you have. Thus renaming the administrator is useless if you also do not restrict anonymous access. TO do this on a Win2K box, go into the Local Security Settings (in administrative tools). Expand Local Policies and highlight Security Options. THe first option listed is Additional restrictions for anonymous connections. Change this to Do not allow enumeration.... Reclick Security Settings and click Reload. You have just closed the biggest open door to your house and removed the welcome sign. We implement a whole slew of additional security measures, but that is the primary do it now one. Good luck.

Jeff

 

[wvgirl64]

Thank you Rich and Jeff! We closed the port on the firewall that it appeared they were coming in on and that seems to have helped for now. We will also be putting the strong password policy into effect. I like the suggestion about renaming Administrator also. About the anonymous connection, you mentioned the Local Security Policy, what about for the domain? Or is this a per server setting?