Previous | Table of Contents | Next |
A number of security policy settings can compromise a system. A vulnerability checker, such as SAFESuite, eNTrax, or KSA, needs to plow through the system and find any weaknesses. A vulnerability is not necessarily a hack. For example, if the Administrator password is blank, this is not exactly what you would call a well-known and carefully orchestrated hack. A configuration error such as this is simply poor administration, unless you had set the password yesterday, and today you find that it has been cleared.
NT vulnerability checkers look for NT configuration problems such as the following:
For each of the problems listed, many scenarios exist. David LeBlanc of ISS identified registry key permissions for the Winlogon entry, which allowed Server Operator users to set the initial program for other users. The same flaw allowed operators to change the initial program run when the NT operating system booted. Thus, one easily could get a copy of files from another user even though under normal conditions one would not have read permission to those files. Also, Server Operator users could exploit this hole to easily gain Administrator rights. Plenty of other examples demonstrate vulnerabilities ranging from mild to severe.
This list represents only a subset of the suite of vulnerabilities a local system can face. Because tracking the security state of these items is nearly impossible with automation, you should invest in one of the NT scanners described in this chapter.
In this section are descriptions of some of the leading NT IDSs. Unfortunately, it is impossible to describe all of the IDS offerings for NT today. The selections here were chosen because in many ways they are complementary rather than competitive.
As in your examination of UNIX IDSs, you need to consider both the features provided by the tools that are important for managing the IDS and the list of attacks detected. You should consider the following systems management factors:
Because new product releases appear at least every quarter, you should contact the IDS vendors directly for the latest information on tools you are interested in deploying. Naturally, only by running the products in pilot projects will you be able to properly evaluate them.
Slightly more than a year old, Centrax (www.centraxcorp.com) is a company formed primarily by experts from the CMDS team formerly with SAIC. Many skilled IDS programmers also have joined the Centrax team. The chief product developed by Centrax is called eNTrax.
eNTrax provides key benefits to an organization including the following:
eNTrax is comprised of two main components: a Command Console and a Target Service. The Command Console provides centralized management of the network. Figure 10.1 shows the main eNTrax console. From the console, you can monitor, detect, and respond to security problems on remote systems. At the console an administrator is alerted to potential misuses and attacks. Responses to attacks can be configured in advance, or an administrator can choose a security alert and interactively respond. Today, eNTrax supports remote system shutdown, remotely killing the login session of the offending user, and disabling the login capabilities of a user. The Command Console manages configuration and collection of audit data from target computers. This feature is valuable because it consolidates log files from NT targets onto a common server. You can keep the raw audit data as NT records it or rely on the event database that eNTrax constructs from the data.
Figure 10.1 Command Console for eNTrax.
A target computer is any workstation or server on the network. Each target computer creates audit data as a user performs work such as opening files, copying files, or deleting files. The Target Service, installed on each workstation and server in the network, enables a communications channel between the Command Console and the target.
Previous | Table of Contents | Next |