As I write this month's column, the “Code Red” worm has just started its second wave of attach on the Internet. This worm, though a major annoyance, hasn't inflected significant damage to the network or to its intended targets. The major effect has been to clog the pipes a bit and to put a strain on the servers that have been infected. As the worm multiplies and spreads, it consumes bandwidth, reducing performance, but so far not to a degree that would be noticed. Once again we have been lucky that such a pervasive virus was not programmed to be dangerous. But we should take this as a harbinger of things to come. Worms and viruses are more pervasive than ever, are becoming more sophisticated, and are increasingly aimed at systems that run operating systems and software from Microsoft.
These days anti-Microsoft sentiment abounds. Many devotees of the Linux operating system and the open source movement, for example, are completely unsympathetic towards Microsoft's software and business approach. The hacking/cracking community shows extreme disdain—an increasing number of worms, viruses and other “malware” target the various Windows platforms.
In the libraries at Vanderbilt, we run several different kinds of servers: Novell NetWare, Sun Solaris, and Windows NT/2000. NetWare, in my opinion, embodies the strongest security architecture. My experience is that Windows systems can be operated just as securely as the various flavors of Unix, given the same degree of time and attention. Regardless of the relative technical advantages or disadvantages of Windows operating systems versus others, the reality is that these systems are extremely widely deployed in libraries, and that it is very important for libraries to maintain them in a safe way.
Code Red exploits Microsoft Windows NT and Windows 2000 servers, specifically those that run Microsoft's Internet Information Server (IIS), with its automatic page indexing facility. This flaw was discovered at least a month before the virus was unleashed and a patch to the operating system was made available by Microsoft. The worm was effective because a large percentage of IIS users had not downloaded and installed the patch.
Windows NT and 2000 servers have become very common in libraries. Libraries naturally favor computer systems that are easy to setup and manage. Almost all library automation systems can operate on either Unix servers or on Windows NT/2000 servers. Some operate exclusively on Windows such as Gaylord's Polaris. With the systems that can run either operating system, vendors tend to recommend Unix systems for their larger customers and Windows NT/2000 for smaller sites. A very large number of libraries have received one or more NT servers through grants from the Bill and Melinda Gates Foundation.
Windows NT/2000 is simple to setup and operate. This characteristic makes them a good choice for many libraries where technical support is not abundant. Library staff without extensive technical training and expertise can generally manage an NT/2000 server more effectively than they would be able to administer a comparable Unix system.
In this month's column, I will give some practical steps that can be taken to run Windows NT/2000 servers in a more secure way. If you are an experienced Windows system administrator, you have implemented even more extensive security measures beyond the basics described here. These tips are intended to help those charged with overseeing one or more NT/2000 servers that don't necessarily have a lot of technical experience.
Regularly update your system
It's tempting to leave a server that is functioning well alone. “If it isn't broken, don't fix it” reflects this attitude. Many libraries have a servers that were installed by a vendor, by a former employee, by a friend of a friend—by someone no longer available to maintain them. Current staff might feel uncomfortable with making changes or installing software on a system that they don't understand well. I've seen this scenario time after time in the libraries in which I have done consulting. Rise above those insecurities, with care, and you will be able to save your library from downtime or other inconveniences that result from a security compromise.
One of the main pitfalls of network servers of any type is inattention. Check its operation frequently, become familiar with all the operating system components and software applications it runs. Keeping the operating system up-to-date will make it much more secure. That is not to say that you should run out and upgrade all your Windows NT servers to Windows 2000. Windows NT is secure, provided you install all its service packs and security patches.
In order to assess the currency of your server's software, you need to know what version of the operating system and Service Packs are installed. On a Windows NT system can see this information by choosing the Windows NT Diagnostics program from the Administrative Tools section of the Start menu. With Windows 2000 the same information is available by right clicking on the “My Computer” icon on the desktop. As of this writing the latest update for Windows NT 4.0 is Service Pack 6a and the latest for Windows 2000 is Service Pack 2. For NT, SP6a is the latest that Microsoft plans to release as a comprehensive set. Individual hot fixes for specific problems will be released as needed.
Do not let yourself become even one Service Pack behind. Installing Service Packs and Hot Fixes can be accomplished easily—it is not a technically difficult task. You will need to be logged into the server as the Administrator user, or an equivalent account. All updates can be obtained through Microsoft's Windows Update site at http://windowsupdate.microsoft.com. This site will show you what updates you already have installed, and any new ones that are available. In almost all cases installing the updates will be an easy point-and-click process. They will go into effect when you restart your server.
Microsoft's Web site includes a section dedicated to security at: www.microsoft.com/security. While much of the information there is relatively technical, this is a good resource. The pages on “Best Practices” and “The Basics of Security” might be good places to start.
Install a personal firewall. The ZoneAlarm personal firewall from ZoneLabs can make a drastic improvement in the security of a NT/2000 server. ZoneLabs offers the basic ZoneAlarm without cost for personal use, and offers the more sophisticated ZoneAlarm Pro for businesses and for individuals who want its advanced features. The cost for ZoneAlarm Pro is about currently less than $40US, and well worth the investment. There are competing products, but this is one that I have personally used in many different environments. The software can be downloaded from http://www.zonelabs.com/. Installation is easy and mostly automatic. Once active, it will ask you whether or not to allow programs to access the Internet, or to act as a server for other systems to access.
Personal firewalls improve security through systematically regulating the network traffic that comes into and out of your computer. One of the problems with network servers is that they often have more services active than are necessary. Personal firewalls will make you aware of the services that are running on your server and give you the ability to shut down access to all but those that are essential.
Eliminate all unneeded Network Services
A service is a software program that listens for requests of a particular kind through the computer's network interface. While a computer generally has only one network address, it can operate with many different programs simultaneously through its multiple ports. The most common network applications have pre-assigned ports and custom programs can use any available port. A Web server, for example, listens on port 80, mail operates on port 25, ftp on ports 20 and 21, and so forth. The more services that are running on a computer, the more ports are actively listening for requests, each susceptible to security concerns.
One of the basic methods of improving security on a server involves reducing the number of active service ports to the absolute minimum. Avoid installing server components that you do not specifically plan to use, review what network ports are active, and disable all unneeded services.
When installing an NT/2000 server plan from the very beginning the functions that should be available. While it is tempting to install everything possible just in case you might want to try it out at some future point, it is much safer to leave unneeded components out of the initial installation. You can come back and install them at any point in the future.
Many of the network services available in a Windows NT/2000 help establish the infrastructure of an organizations network. DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), WINS (Windows Internet Name Service) and the like are all necessary parts of an network, but don't need to be active on every server. If you are part of a larger network, consult with your network administrator to see if you need to operate these services. In most cases libraries do not need to run these core infrastructure services, since they are usually provided by the ISP (Internet Service Provider) or the University, Municipal, or corporate network in which the library's network participates.
Windows NT/2000 provides Web, Mail, FTP, and News services through its Internet Information Server component. When installing IIS it is easy to install and activate more than you need. In most cases all that you really need is the basic Web service. Other services such as FTP, the Administrative Web server, and Mail should be stopped and disabled if you do not have a pressing need for them. All these services are managed through the “Internet Services Manager” console that is part of the Administrative Tools section of the start menu.
In addition to paring down unnecessary services, removing unnecessary items from the Web server will also improve security. IIS comes with many sample pages and scripts. I remove all the sample Active Server Pages (ASP) and scripts from each of the production IIS servers I manage. Removing superfluous items from the Web server's document and scripts directories will make it easier to manage the content of the Web site as well tighten up security.
Testing for Vulnerabilities
There are a number of tools available to help you assess the security of your server. One of my favorite sites for easy-to-use assessment tools is Gibson Research Corporation at www.grc.com. This site, created by computer industry veteran Steve Gibson, provides a number of very well written utilities that help you identify security concerns. Each of these utilities is easily invoked from the main page of the GRC Web site.
PatchWork is a program that you can download and run that inspects your NT/2000 server for the current set of known security vulnerabilities. It guides you through the process of installing any patches that are needed to shore up your system. This program, written by Gibson for the Center for Internet Security, checks the version of IIS installed on your computer and notifies you of a number of known major vulnerabilities. For each of the vulnerabilities it finds, it directs you to the patches required to fix them on Microsoft's Web site. Don't depend on PatchWork exclusively—there may be new vulnerabilities that it hasn't been updated to detect. But it's imperative that you fix any problems that it detects, since these are well-known by the hacker community.
Shields UP is a utility that checks any Windows-based computer, whether it be a server or workstation for another set of security issues. One of the most common problems with Windows systems is that they can easily to configured to share their files over the Internet in very unprotected ways. Windows file-sharing should always be restricted to the local network. Shields UP attempts to connect to your computer's local file system, and notifies you if it is able to do so. It provides instructions on how to properly configure your computer's networking properties if it finds this weakness.
Probe My Ports is a complementary utility that scans each of the ports at your computer's network address, notifying which ones are active. For each of the well-known ports, it indicates how your computer responds. The best response is termed “stealth” where a remote computer sees no evidence that the port even exists. A “closed” port responds as present, but not currently taking requests. An “open” port is active and ready for work. You should be sure that the ports that this utility finds open correspond exactly to the services that the computer is designed to provide. If the computer is used as a Web server exclusively, only port 80 should respond as open.
In the short space of this column, I can't provide a complete tutorial on Windows NT/2000 security. These are just a few practical tips to give you an initial security assessment and to help get your servers to some reasonable level of safety.
I've said it many times that we live in a dangerous world when connected to the Internet. It's getting worse all the time. We must all stay vigilant to ensure that our computer systems are not turned against us.