System
Evaluation
With networking skills rivaling those of less knowledgeable script kiddies, I set out to perform a system evaluation that would meet the requirements of this assignment. Of all the requirements for this course, this one seemed the most challenging and potentially difficult, yet in the end, probably the most practical.
System Information
My personal laptop offered good potential for this kind of test especially since I have not spent much effort in setting up security for it. The laptop is a Gateway Solo 9500 with a 1.1 Ghz processor running Windows 2000 professional. Since I only occasionally connect to the Internet via wireless network at UNC, I have not felt compelled to installed a firewall on this computer or been particularly threatened by not having one (Ignorance is bliss!) For personal email, I use Yahoo! and have my UNC mail forwarded to this account. I am running a copy of Norton Antivirus Corporate edition that I downloaded from the UNC shareware site. This is software is updated periodically through the live update function and a complete system check for viruses is performed on an irregular basis around two or three times a year.
Criteria
I developed three criteria for evaluating this system as follows:
1 - Perform a vulnerability test and penetration test.
To perform a vulnerability and penetration test depended on my ability to locate and get working some sort of third party analysis software. Without installing and running Linux on any system personally accessible to me, the opportunity to use Saint or Nmap for vulnerability evaluation was limited. After some research, I located a website that offered links to several programs available for Windows machines that might serve as an adequate replacement. I eventually decided on a combination test that included a program called SuperScan 3.0 that I could operate from either the laptop itself or another computer and I double checked this test with Sheilds Up!, an independent vulnerability testing website. My options were fewer when it came to attempting a penetration test. For this aspect I settled on a program entitled Userinfo 1.5 that was supposed to exploit an area of weakness spotted during the vulnerability-testing phase.
2 - Check the system against the Microsoft Windows 2000 security checklist
During the research phase, I came across the Microsoft Windows 2000 professional baseline security checklist. As advertised, this checklist contains pertinent security information for operating a machine or network using MS Windows 2000 professional. In some cases, brief explanations are offered for each point in the checklist.
3 - Consider the physical security of the system.
In my opinion, the physical security of this computer represents the greatest challenge. Recent thefts occurring from lockers in SILS have made me more aware than usual about the security of laptops on campus or, for that matter, anywhere. Additional research on the web produced several interesting and useful documents that I used for background information to analyze the physical security of this laptop including laptop security guidelines and another on security components.
Results
Vulnerability and Penetration Test Results
During the penetration testing, both Shields Up! and Superscan 3.0 identified open ports that might offer someone access to my computer. Port 135 was identified by both scans as open and vulnerable. A very nice feature about Shields Up! is that they offer explanations about the various ports and how to secure them. In the case of port 135, it was identified as an un-closable Windows port that requires a firewall for security. In addition to port 135, Superscan 3.0 found ports 139 – NETBIOS Session service, 445 – Microsoft DS and 1025 – Network blackjack, open as well. This is very disturbing, especially in the case of port 139 - a favorite hacker entry port.
Unfortunately the penetration testing was not as successful. Userinfo 1.5 was designed to exploit port 139 and retrieve information about the system including owner ID that could be useful in a social engineering attack. After downloading and installing Userinfo 1.5, I found that it failed to open properly on two separate computers running windows. Since there was scant information regarding the operation of this program, it is likely that there was some sort of operating system conflict. After several attempts to get this program to operate, I opted to cancel the penetration test and deleted the program.
Checklist Results
The Microsoft security checklist is best applied to a machine permanently connected to a network and accessible by multiple users. Additionally, some of the suggestions were somewhat beyond what I wanted to address (adding a information to the program registry comes to mind). However, there are several important points that are easily applied to this computer.
Strong administrator password? - Between class discussion, the Schneier book and Microsoft’s recommendations I would say that there is room for improvement here. Windows 2000 allows passwords up to 127 characters. My six-character password made up only of alphabetic and alphanumeric characters seems to be lacking.
Is the guest account is disabled? – The guest account is an easy way into the system should the laptop ever be stolen. This computer has an active guest account will need to be disabled. No need to make it any easier on them!
Is the account lockout policy activated? – The account lockout policy is located in the local security file in the administration folder. A quick check revealed that the lockouts are disabled.
Is antiviral software installed? – There is a copy of Norton Antivirus software, corporate edition, installed and regularly updated.
Are the latest service pack and security patches installed? – This is not done on a regular basis and needs attention.
Is the administrator’s account configured properly? – Microsoft suggests changing the administrators account name from Admin to something less obvious. This would make it harder for anyone to break into the system by making it difficult to gain control of the machine as the administrator. At present, the administrator account has the default Admin tag.
Physical Security Results (aka “it was here a second ago!”)
Below are several physical security points that I applied to this computer:
Is there an asset tag or engraving to identify this computer if recovered after a theft? – This computer does not have an asset tag nor has it been marked or engraved.
Is it registered with the manufacturer? – Yes. The computer is registered with Gateway.
Is a cable locking system used? – I have never purchased a cable lock for this machine.
Is tracking software installed to provide an alert in the case of theft? – This machine does not have tracking software installed.
Is the laptop carried in a non-descript case, such as a backpack? – I carry this laptop in a standard, over the shoulder computer case.
Are assumptions made that it is safe in certain places? – I never leave my laptop unattended. That said, I have left it in the care of classmates that I personally know.
How is computer stored when traveling? – Whenever I travel by automobile, the laptop goes in the trunk of the car. Long restaurant breaks are not usually taken that might expose it to thieves. While riding on a Chapel Hill transit bus, I keep it on my lap or over my shoulder. I have never taken it on a plane. Overall, it is fairly secure when it travels
Is data encryption used – I have not used data encryption to protect the contents of this machine.
Is there an exposed infrared port? – This machine has an uncovered infrared port that could allow people in the same room the opportunity to access my files.
Recommendations
Overall this system is roaming security liability. There are numerous
ways to improve this situation that will be addressed in the following
order. First, I think it is time to download and install a firewall,
probably Zone Alarm since it is free and works quite well. The potential
exposure for hackers has been limited to the time that I have been connected
to the UNC network. Up to this point, these are very irregular and
short sessions, however, there is a good chance that this laptop will
be networked into a home networking system in the near future and a
firewall will be of the utmost importance. Second, I need to devote
some time to getting and installing the latest security patches from
Microsoft. Several security fixes have been missed. Third, some form
of I.D. needs to be placed on the outside of this computer. Fourth,
better password protection needs to be incorporated. Fifth, several
other physical security issues need to be addressed. Along with adding
an asset tag or engraving, a cable lock or some kind of physical system
would be helpful when having to briefly step away from the machine even
if it is left under the care of trusted others. Finally, I will be
considering data encryption in the future, especially after I return
to the working world. Windows 2000 offers a built in encrypting file
system (EFS) that would be worth exploring. I will also consider using
PGP for protection of the data stored on this laptop.