windows security « Mediumcube.com Web Hosting Blog

January 3, 2010

Secure Windows Servers using IPSec Firewall

Filed under: Technical — Tags: Free Windows Firewall, IPSec firewall, IPSec rules, Software Windows Firewall, Web Hosting Firewall, web hosting ipsec, Windows 2003 Firewall, windows 2008 firewall, Windows Firewall, windows ipsec firewall, windows security — admin @ 9:33 pm

IPSec (Internet Protocol Security) is a cross-platform protocol for securing IP communications through authentication and encryption. IPSec operated on Layer 3 (Network Layer). Thus makes it a powerful tool for managing how traffic flows over a network.

IPSec was first introduced within Microsoft products in Windows 2000 and have been improved since. The main purpose for IPSec in Windows Servers 2000/2003/2008 is to secure traffic between clients and domains, domains and domains. However, another great benefit arises for IPSec is the flexibility to act as a software firewall on the Windows platform. Windows 2003 firewall is very weak and inflexible that most of the times it end up being disabled on servers. This is very dangerous for Windows web hosting servers, and more specifically for anyone running DC over the internet with no proper firewall in place.

One of the major falls of the Windows Firewall is its inability to filter out the same port more than once. Thus, if we need to block traffic to port 1433 (MSSQL Port), but allow only two specific IP addresses in two different networks to access the 1433 port, that is not possible within the 2003 version of Windows Firewall.

The second major fall is the inability to differentiate inbound/outbound traffic. For example, we’re unable to filter out connections to a specific external network address on all ports. We experience the same problem when attempting to allow incoming connections on all ports for a specific IP. This is not to mention the numerous times when the firewall caused network traffic issues especially with earlier version of Windows 2003 SP2.

Windows 2008 / 2008 R2 improves on Windows Firewall by adding Inbound and Outbound rules. Also, it now allows to allow specific subnets or IPs full access to all ports. The 2008 version of the Firewall acts almost like an IPSec based firewall. Yet, when we have a mixed environment of 2003/2008 servers, we’ll want to have firewall services running on both servers. Making IPSec becomes the only reliable option.

In this article we’ll describe how to access IPSec as well as provide sample IPSec firewall rules. IPSec can be managed through a GUI (Local Security Policies) or a cmdlet (netsh). For our purpose, the steps are identical for Windows 2000/2003/2008. The 2008 IPSec version has one little difference. You can now copy/paste the IP address into the IP field, while the 2000/2003 requires manually typing the IP address. IPSec firewall can also be setup on Windows XP Professional.

The IPSec Snap-in is available from:
Start -> (Settings) Control Panel -> Administrative Tools -> Local Security Policy

Alternative way to open Local Security Policy is through:
Start -> Run -> type: secpol.msc

This will launch the Local Security Settings/Policies Snap-in. The IPSec rules are available under the section “IP Security Policies” on the left side.

NOTE: On a Domain Controller, you want to utilize IPSec under the Domain Controller Group Policy if you wish to secure your DCs.

You’ll notice on the right side, IPSec lists the current policies available on a system. You can only have one policy active. If you Right-Click on any of the rules at the right, you’ll notice the option to select “Assign”. Assigning a policy makes it active.

Now, we need to import our sample firewall settings. Note, we can export/import policies by Right-Clicking on the “IP Security Policies” -> All Tasks on the left side of the screen. Importing new policies with different names do not affect our current setup policies. Furthermore, anytime we experience issues with policies, you can restore the IPSec back to the default system policies.

The IPSec firewall rules are available for download here.

Once we’ve downloaded the firewall rules, unzip them and place them somewhere on our computer. Then head back to the IPSec snap-in, right click on “IP Security Policies” on the left side -> All Tasks -> Import Policies and point to the location of the IPSec rules we’ve just unzipped.

The firewall rules are disabled by default, so we need not be concerned being locked out when they are imported. Our IPSec snap-in should look like this:

We’ll notice a new rule has been added to our list named “Network Firewall”. If we click on “Network Firewall”, we’ll notice that the policy is not assigned (There are On/Off switches at top for toggling Assigned status)

Double click on the “Network Firewall” rule will bring up the Properties screen:

Notice at the top is “IP Filter List”, click on that tab to sort rules by name. The firewall logic is very simple. It begins by denying all icnoming/outgoing traffic on all ports to any connection. Then we use rules to allow specific Ports and Exemption lists access as desired. The following are brief description of how these rules function:

1-DENY UDP ALL: Denies ALL Inbound and Outbound UDP Connections

2-DENY TCP ALL: Denies ALL Inbound and Outbound TCP Connections

3-DENY BAD IP: Explicitely denies access to IPs/Subnets even to already opened ports (Overwrites the allowed ports rules)

4-EXEMPTIONS: We specify here all IPs/Subnets that we wish to give explicit access to ALL Ports regardless of which ports are blocked. (Overwrites the Deny TCP/UDP Rules)

The rest of the rules are indicative of which ports to open. If there is a check mark next to a rule, it means the rule is active and the port is enabled to everyone except those IPs in the 3-DENY BAD IP list.

If there is no check mark next to a rule, it means the port is blocked to everyone except the 4-EXEMPTIONS list.

We’ll notice some of the rules indicate Server/Client access. This is necessary since we’ve blocked both incoming/outgoing ports. Thus, if we need to connect to SSH server from our Windows machine, we need to enable SSH Client. However, if we need external clients to connect to our Windows server using SSH, we need to enable SSH Server. Basically, Client means allow Outgoing connection while Server means allow incoming connection.

We’ve by default enabled the most popular ports: HTTP/HTTPS, SMTP, POP3, MSSQL, RDP. Please review the firewall lists before deciding to enable the Network Firewall policy.

When we’re ready to activate the Network Firewall. From the IPSec snap-in, right click on the “Network Firewall” rule, and select “Assign”:

This will enable the firewall on the current system. If for any reason we wish to disable the firewall, right-click on the “Network Firewall” rule again, and click on ”Un-Assign”.

NOTE: The Network Firewall rules are very aggressive and may not be suitable for all situation. By default, the firewall will block all incoming/outgoing traffic except to those explicitely allowed ports/IPs. This may cause some issues with FTP access and connecting to outside networks on special Ports. If we require connecting to certain outgoing ports, we must add a rule within the Network Firewall to allow such connection.

We do not provide any warranties or guarantees for the use of these firewall rules. Use at your own risk. However, we’ve been using them on our network for many years without any issues.

If you have any questions or feedback, feel free to post your comments.

Comments (0)

May 11, 2008

Free Tools to keep your computer secure

Filed under: Technical — Tags: internet protection, parental control, prevent ddos, protecting your system, tipes protecting windows, windows security — admin @ 2:45 pm

Protecting your PC is never more important as it is today. Generations of new spywares that hide ithemselves very well within your system environment collecting details and controlling your PC as zombies can wreck havoc not only on your system but on the general internet.

Imagine how hackers are able to utilize the power of thousands of hacked PCs online to bring down servers across the internet. This is what we know as DDoS (Distributed Denial of Service) Attack. DDoS attacks had brought many major sites to their knees for days and sometimes weeks. The most recent of such attack is the one on Estonia’s government, bringing down their banking and government services for several days.

The main root cause of DDoS attacks is those exploitable, unprotected computers connected to the internet which then hackers from thousands of kilometers away quietly control to attack other internet devices.

So we’re listing here few applications you can use on your Windows Operating System that will help protect and clean your computer from most known viruses/spywares:

1) Windows Defender: Tool developed by Microsoft and available for free to legally registered Windows machines. It provides protection against common spywares and exploits in the Windows OS. It can be downloaded for free from: http://www.microsoft.com/athome/security/spyware/software/default.mspx

2) Google Pack: Offers multiple applications for productivity and security. The most important applications in the Google Pack are: Norton Security and Spyware Doctor Lite Edition. The Google Pack can be downloaded for free from: http://www.microsoft.com/athome/security/spyware/software/default.mspx

3) Avast AntiVirus: Freely available for non-commercial use. The Avast anti-virus and anti-rootkit provides ultimate protection against harmful malwares. You can check Avast site for more info at: http://www.avast.com/eng/avast_4_home.html

4) AVG AntiVirus: Another freely available Antivirus for non-commercial use. It also contains an Anti-Spyware tool and can be downloaded for free from: http://free.grisoft.com/

5) Make sure your Windows OS is up to date: Check http://windowsupdate.microsoft.com for the latest Windows updates

6) Enable your Windows Firewall: This can typically be found on most Windows XP SP2 computers under your “Control Panel”. Windows Firewall will prevent unwanted connections from being made from or to your computer.

7) Internet Browser Protection: If you wish to protect someone using your computer from browsing malicious or inappropriate websites, we’d highly recommend you try Open DNS to minimize your network exposure to unwanted websites

The old saying goes: “Prevention is the best Protection” which still applys on the internet today. Just one last note, the more antivirus and antispyware applications you load on your Windows system, the slower your system will perform. In general, we wouldn’t recommend installing any of these applications on your Windows systems unless you have 512MB of RAM for Windows XP or 1GB of RAM for Windows VISTA.

Comments (0)

April 30, 2008

SQL Security Vulnerability in Poorly Designed Applications

Filed under: Technical — Tags: asp .net, php security, sql security, windows security — admin @ 11:26 am

Recently there had been a wide spread exploit that targets poorly designed applications on Windows based platform. The exploit is not a result of a security hole in Windows, IIS nor SQL. Rather, it is the result of web application not properly validating user input code before passing it to the SQL server.

The vulnerability had gained recently a high profile when few hackers were able to hack into the United Nations website and tens of thousands of others.

Therefore, it is imperative that you check your application code for any vulnerabilities that can lead to potential hack of your database and possibly the whole server.

For more information on this exploit, please visit the following sites:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080580

http://hackademix.net/2008/04/26/mass-attack-faq

On our end, we’ve tightened the security on the servers as much as possible without compromising accessibility. However, due to this vulnerability being the result of poor application coding, the best way to protect your site is to validate user inputs before passing them to the SQL server. The references included above will give your web developer a better idea how the exploit works.

If you have any questions or concerns about this issue or others, please don’t hesitate to contact our support department.

UPDATE: Techtarget has good article on how to test your application at: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci996071,00.html Basically, if your application passes variables in the URL as in home.asp?a=value , then try to see if you pass a=val’ue if this would break MSSQL. If it does, then you may have a problem there.

UPDATE: This is a good Blog about things can be done to help find the problem in the code (URLScan 3, Scrawlr, MSCASI):

http://blogs.technet.com/swi/archive/2008/06/24/new-tools-to-block-and-eradicate-sql-injection.aspx

UPDATE: This is another great article on Cross-Site Scripting and ASP .NET, though not directly related to SQL issue, it does underlie the importance of properly designed code

http://forum.dotnetpanel.com/blogs/dan/archive/2009/02/11/cross-site-scripting-in-asp-net.aspx

Comments (1)

M	T	W	T	F	S	S
« Jan
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31