Networks and SecurityNetworks and Security

88% of IT staff polled in the US recently said their organizations had been affected by Internet viruses or worms in the past year even though 90% of firms have an IT security system in place. Information Security Magazine, 2001

How Real is the Threat?How Real is the Threat?

Worm ThreatsWorm Threats

NIMDA and Code Red generated the majority of attack activity accounting for 63% of recorded attacks

Each worm attacked known problems with available patches

New zero-day worms that hit vulnerabilities not posted

Future worms will morph

TrendsTrends

39% seemed to be targeted to breech a specific system or company

61% seemed opportunistic with the attacker scanning and looking to exploit what was found

42% of the attacks were aimed at large corporations of 1,000 or more employees

This suggests, higher profile corporations are bigger targets than lower profile

Majority of Attacks Are Launched From a Majority of Attacks Are Launched From a Small Number of CountriesSmall Number of Countries

Ten countries account for 70% of attacks

– 30% United States

– 9% South Korea

– 8% China The largest number of attacks per IP

address was Israel

Attacks and PortsAttacks and Ports

                                                               

Current AttacksCurrent Attacks

Most Probed PortsMost Probed Ports

Windows service for conversionOf IP addresses to names in file sharing appsFirst step in a scan to hit file shares

Used by MS-SQL server for remoteClients to query for network connections

Open when a web server installed

TrendsTrends

The industries with the highest attacks rates are: – Education– High Tech– Financial Services– Media/Entertainment– Power and energy companies

Each averaged more than 700 attacks per company in the last six months

Power and energy companies suffered attacks from the Mid East at twice the mean of other companies

High Tech and Financial companies suffered attacks from Asia at a rate that was 50% higher than the mean for other companies

Top Ten AttacksTop Ten Attacks

47.8% M.S. IIS Server ISAPI overflow 25.1% (Code Red) Generic Root Request Attack of root.exe

in /scripts directory. 23.5% M.S. IIS Server Traversal Attack 17% M.S. IIS Server Arbitrary Code Attack (code URL

twice) 16.5% (Code Red) "cmd.exe" Attack 5% Scan for 27374 port for SubSeven (2600 Magazine) 3.8% Scan for vulnerable or mis-configured FTP servers. 2.8% Scans for RPC enabled 1.3% Scans for ssh (Exploit) 1.2% Scans for LPD (Exploit) (Source RipTech)

General Types of HackersGeneral Types of Hackers

Kiddie Scripters Black hats Network-savvy employees Government Entities

Kiddie Scripters Kiddie Scripters

Run scripts from hacker sites Rarely recompile to change ports or affect

attack signatures Poor resources ‑ usually tied to an ISP Usually want a quick “hit” or break‑in and

are largely indiscriminate about targets Leave behind lots of evidence

Take Your Pick of Hacker GroupsTake Your Pick of Hacker Groups

Places for EvilPlaces for Evil

Know Your Enemy--Places to VisitKnow Your Enemy--Places to Visit

http://www.hacktech.org/ http://surf.to/damage_inc http://www.oninet.es/usuarios/darknode/ http://b0iler.eyeonsecurity.org/tutorials/

index.html http://ist‑it‑true.org/pt http://hackersplayground http://packetstorm.widexs.nl/exploits20.shtm http://astalavista.box.sk.

Black HatsBlack Hats

Re‑compile code of others to change attack signatures

Write programs that may or may not be shared Moderate resources ‑ usually tied to an ISP but can

have own domains and domain servers Much more cautious and attacks may be spread over

weeks Mafia organizational models: key talented hackers

with high skills are generally isolated by layers of “kiddie scripters” for protection

ReconnaissanceReconnaissance

Look for a file thatDoesn’t exist on a webServer: 404 error will Reveal server and version

Network-Savvy EmployeesNetwork-Savvy Employees

Never share or use code of others unless it is an intentional deception

Inside knowledge of infrastructure enables more sophisticated approach

GovernmentsGovernments

Attacks and coordinated probes may stretch over a period of months or years and are calculated to bypass the best IDS’

Launched as part of policy Has direct access to tier 1 Internet service

providers (ISP) or uses government resources Able to manipulate domain, WHOIS databases,

and root server and Internet routing paths May be recruited from Black hats or federal

agencies

Nuisance ThreatsNuisance Threats

These individuals may evolve from online trespass and vandalism to more criminal activity such as theft of information, extortion, and credit card fraud

In addition, this group is a pool of potential resources for more traditional criminal elements to exploit either directly or indirectly

Low Level ThreatsLow Level Threats

On‑line Trespass Vandalism Script Kiddies – compile

existing hacker code Existing vulnerabilities

Malicious ThreatsMalicious Threats

Launch virus’ or self-propagating “bots” that harvest e-mail addresses, credit card numbers, or other valuable data

Identity theft is big business

Doomsday ThreatsDoomsday Threats

After key financial information that can be leveraged for money

Scan likely unfriendly nations for critical infrastructure weak points

Characterized by long term stealth (not noisy) scans and probes

Access to resources Undetectable

Criminal Activity CategoriesCriminal Activity Categories

Extortion Organized Crime Political Groups (Terrorists) Industrial Espionage and Sabotage International Intrusions

Criminal ActivityCriminal Activity

49% of information security professionals' companies have had personnel who have physically destroyed or stole computing equipment ‑‑ up from 42% in 2000. Industry Survey from Information Security Magazine, 2001. See http://www.vectec.org/researchcenter/stats.html?category=9

Hacker Pattern ReuseHacker Pattern Reuse

Each hacker has a “signature” for attack methodologies

It is often possible to describe each separate attacker by their trademark styles and choice of tools and exploits

Once they find a sequence or type of attack that works they use the same choice of tools each time

Seven Step Attack Profile Seven Step Attack Profile OverviewOverview

Reconnaissance – gathering information on your organization

Foot printing – get the network details. Port Scanning – find the actual services available. Enumeration - Promising targets are identified in more

detail. Gaining Access - choose an informed hack/crack. Escalating Privileges - elevate to system access. Pilfering - Grab any interesting/profitable data. Covering Tracks - Hide interlopers machine romp

ProfilingProfiling

Objective

– Gathering information about the organization

Technique

– Web searches, public documents, and legal databases

Web browsers – most public or legally available information is now available on line

Sniffers Are Your Friend Sniffers Are Your Friend and Foeand Foe

Everything that touches your machine from a data network can be seen on a sniffer: Passwords, account names, social security numbers, birth dates, and other personal information

Hackers frequently use sniffers to ply their trade Sniffers also help the good guys by catching

issues that IDS’ and firewall logs will miss

Network Associates (NAI) Network Associates (NAI) SnifferSniffer

Network Associates (NAI) Network Associates (NAI) SnifferSniffer

Premier network diagnostic program available to network professionals

A great number of hacker sniffers tend to concentrate on capturing and logging targeted information such as user names, passwords and commands

dsniff is a package of password grabs including mailsnarf an e-mail grabber

dsniffdsniff

Sniffer ExploitsSniffer Exploits

Sniffers are programs that use “promiscuous” drivers

These specialized drivers allow network information to be “sniffed” off of the local network segment

In segments that utilize Ethernet hubs, as opposed to switches, the attacker can log every user’s information off the network

Dsniff – Dsniff – De-encrypting De-encrypting Password Password SnifferSniffer

dsniff listens patiently for passwords to come along

It will decode NETBios-based Windows, IMAP, POP3, SNMP, and many other types of passwords

If you are using the network diagram programs like Visio, TGV (Computer Associates) and HP OpenView with the read/read-write SMP password – you are giving it away to attackers

Sniffer DefensesSniffer Defenses

Ethernet switches are not a security panacea Flooding the switch with bogus MAC

addresses can flood the bridge table and cause one of two of the following switch behaviors to users:– 30% of the time switch starts forwarding

ALL packet to ALL ports (hub behavior)– 70% of the time the switch crashes

Sniffer DefenseSniffer Defense

Monitor your switch reboots with simple networking management protocol (SNMP)

Send SNMP “traps” to your central security monitoring console when switches reboot or have switch table “full” error events

It is also very valuable to centrally log switch and router SNMP AUTH events which send login authorization failures!

Sniffer DefenseSniffer Defense

@stake, makes a sniffer “detector” AntiSniff available for trial and sale

Promiscuous drivers take notably longer to process network requests

This detector makes detection available based on the noted delays in the surrounding IP client software on hosts

L0PHT (@stake) antisniffL0PHT (@stake) antisniff

Foot PrintingFoot Printing

Objective– Get address range, namespace details, contacts, and

reverse domain info Technique

– Open source info, DNS, iterative reverse DNS or zone transfer

Tools– nslookup, dig, whois, ARIN whois, etc.,– Plain old HTTP lookups on their favorite search

engine, Google, Altavista

Foot printingFoot printing

whois nslookup

• http://www.arin.net/whois/index.html

• Department of Defense

• RIPE

• APNIC

Web Search Engines– Google

Domain Name Service (DNS)Domain Name Service (DNS)

Domain name services (DNS) map text strings by a hierarchical directory to a specific IP address that the computer application can use

Domain name servers are also called name servers

Domain Name Services (DNS)Domain Name Services (DNS)

DNS servers use forward and reverse zone text files that contain domain entries

Forward files include INFO records INFO type “A” records for IP addresses INFO HINFO records for software and platform

information INFO CNAME or canonical names for aliases INFO MX or mail exchange records for email

WhoisWhois

Domain LookupDomain Lookuphttp://www.arin.net/whois/index.htmlhttp://www.geektools.com/cgi-bin/proxy.cgi

Geektools.comGeektools.com

DNS Exploit – Information DNS Exploit – Information GrabbingGrabbing

Programs like Sam Spade and whois reveal an enormous amount of information about your company Internet connections, managers, and administrative contacts.

Sam SpadeSam Spade

Sam SpadeSam Spade

Sam SpadeSam Spade

DNS Exploit – Information DNS Exploit – Information GrabbingGrabbing

Defense Use two DNS servers, one inside your network,

and another outside. This is called the “split” domain name server architecture.

By blocking the inside name server that has all the network information from outside access – it is possible to hide inner host information from interlopers

Allow only the most essential information to be available to the general Internet.

Secure the servers the Internet “knows about.”

““Split” Domain ServersSplit” Domain Servers

Denial of Service ExploitDenial of Service Exploit

Lots of connections entering the open TCP state with the host machines sending SYN packets to synchronize sequence numbers

During the open state the host machine consumes CPU time allocating memory buffers consuming limited resources on the host machine

Host machine may many times be sending replies back to a “spoofed” attacker address

If enough TCP open states are started on the target machine . . .

It runs out of memory or CPU resources and stops accepting new connections or crashes

Denial of Service DefenseDenial of Service Defense

Specialized intrusion detection systems recognize DoS attacks and issue RST packets to either the sender or destination or both and kill the network connection

The host machine immediately releases resources upon receipt of a packet with the RST flag set

Denial of Service DefenseDenial of Service Defense

Reduce the TCP wait timer on your servers from the default 600 seconds to about 3

This “times out” the connection state and allows your server to recoup it’s resources faster and resist this attack

Increase the server resources-- Memory is cheap Allocate additional memory buffers to handle the

attack-- Bumping from 10 to 200 should do it

Logical Data Network StructureLogical Data Network Structure

Networks are made up of network devices that pass packets based on addresses and network paths

Routers and switches keep track of these addresses and routes in internal tables

What are some examples of these internal tables?

Logical Data Network StructureLogical Data Network Structure

“Switch” tables – Switch mappings associated with a physical

interface

“ARP table” layer 3 network addresses associated with a L2 address and usually a physical interface

Logical Data Network StructureLogical Data Network Structure

Layer 3 network route mappings associated with a L1 (physical) interface

Internet Command and Management Internet Command and Management Protocol (ICMP)Protocol (ICMP)

Routers that become congested return an ICMP source quench message as a simple form of flow control

Some routers send an ICMP “source quench” if their communication buffers get full

ICMP is the traffic cop for IP networks

RARP, BOOTP, and DHCP RARP, BOOTP, and DHCP

RARP (earlier slide) ‑ given the MAC (L2) address give me the network (L3) address

BOOTP ‑ an improvement on RARP that gave us automated IP addresses, automated boot images, gateway addresses, etc.,

DHCP ‑ Dual host configuration protocol ‑ a later protocol (Microsoft) that added user specified fields, and advanced abilities such as redundancy

Crafted Packets ExploitCrafted Packets ExploitBuild what you want and create a hack - a thousand different ways. if ( (packet = malloc(1500)) == NULL ) {perror("malloc: "); exit(‑1);}– if ( (sock = libnet_open_raw_sock(IPPROTO_RAW)) == ‑1 ) {perror("socket: "); exit(‑1);}– libnet_build_ip(len, /* Size of the payload */– /* ICMP Header for Parameter Problem– * ‑‑‑‑‑‑‑‑‑‑‑‑‑‑+‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑+‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑+‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑– *| Type (12) | Code (0) | Checksum |– * ‑‑‑‑‑‑‑‑‑‑‑‑‑‑+‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑+‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑+‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑– *| Pointer | unused |– * ‑‑‑‑‑‑‑‑‑‑‑‑‑‑+‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑+‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑+‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑– * Internet Header + 64 bits of original datagram data....– */– /* Need to embed an IP packet within the ICMP */– ip = (struct ip *) (packet + IP_H + 8); /* 8 = icmp header */– ip‑>ip_v = 0x4; /* IPV4 */– ip‑>ip_hl = 0xf; /* Some IP Options */– ip‑>ip_tos = 0xa3; /* Whatever */– ip‑>ip_len = htons(data_len); /* Length of packet */– ip‑>ip_id = 30241; /* Whatever */– ip‑>ip_off = 0; /* No frag's */– ip‑>ip_ttl = 32; /* Whatever */– ip‑>ip_p = 98; /* Random protocol */– ip‑>ip_sum = 0; /* Will calc later */– ip‑>ip_src.s_addr = ins_src_ip;– ip‑>ip_dst.s_addr = ins_dst_ip;

DNS Exploit – Cache DNS Exploit – Cache PoisoningPoisoning

DNS queries are heavily cached on servers. What if an attacker could craft a packet that “poisons” the DNS cache with the wrong information? Could a hacker/cracker redirect domain name server queries to the wrong machine?

What Else Could Crafted Packets What Else Could Crafted Packets Do?Do?

Distribute bad route to your core date network routers dumping much of your network traffic

Foul up switched networks with bogus bridge data unit (BDU) packets that would switch off network interfaces

Block router IP interfaces with bad ARP replies

Crafted Packets DefenseCrafted Packets Defense

Turn everything off! Do not require or allow ICMP features like gateway

redirection, source quench, or router advertisement Turn off spanning tree algorithm (STA) where it makes

sense Use the authenticated and encrypted versions of any

available protocols i.e., OSPF not RIP ver. I Tie your routers together with access control lists (ACL’s)

to control inbound broadcasts Don’t “do it by the book”. Cisco design principles are

wrong as they value “speed” of the network over security. Application server speed is king and people on LANS’s don’t perceive LAN speed optimization as delays

netcatnetcat

netcat, the swiss army knife of hacking. Can “attach” to an arbitrary client port to

listen for data Can be set up to send out crafted packet data

to an arbitrary port Usually after capturing traffic into a hex file,

the data is edited, and sent out to the same network it came from

Netcat options – scary!!!Netcat options – scary!!!

Netcat listenerNetcat listener

Netcat Listener Receiving Test Netcat Listener Receiving Test TextText

Port ScanningPort Scanning

Target ID and assessment for attack – What looks most promising?

Technique– ICMP sweep, TCP/UDP scans, OS detection.

What is the version of Windows they are running? What are the publicly available hacks/cracks for this version?

Tools– fping, hping, nmap, ncat -p, fscan, queso

Ports or Service AddressesPorts or Service Addresses

Service or port, is a 16 bit base 10 number Example: 31337

Port addresses allow the program to know what application the data packet is intended

Popular service addresses or ports are 80 for http, 23 for telnet, 20 and 21 for file transfer protocol, 22 for remote shell

How Do I Know What Services How Do I Know What Services Are Running?Are Running?Active Internet connections (including servers)Proto Recv-Q Send-Q Local Address Foreign Address (state)tcp4 0 0 *.submission *.* LISTENtcp4 0 0 *.sunrpc *.* LISTENudp6 0 0 *.chargen *.* udp4 0 0 *.echo *.* udp4 0 0 *.time *.* udp4 0 0 *.daytime *.* udp4 0 0 *.bootps *.* udp4 0 0 *.tftp *.* udp4 0 0 *.ntalk *.* udp4 0 0 *.1011 *.* udp4 0 0 *.nfsd *.* udp4 0 0 *.1023 *.* udp4 0 0 *.sunrpc *.* udp4 0 0 *.syslog *.* udp6 0 0 *.syslog *.* Active UNIX domain socketsAddress Type Recv-Q Send-Q Inode Conn Refs Nextref Addrc6143ec0 dgram 0 0 0 c613efc0 0 c6143f00c6143f00 dgram 0 0 0 c613efc0 0 c6143f40

netstat!

UDP Packet PortsUDP Packet Ports

TCP AddressesTCP Addresses

How Do Hackers Generate Port How Do Hackers Generate Port Scans?Scans?

nmapStarting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )Insufficient responses for TCP sequencing (3), OS detection may be less accurateInteresting ports on william.clark (192.168.1.130):(The 1007 ports scanned but not shown below are in state: closed)Port State Service7/tcp open echo 19/tcp open chargen 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 111/tcp open sunrpc 139/tcp open netbios-ssn 512/tcp open exec 513/tcp open login 514/tcp open shell 540/tcp open uucp 587/tcp open submission 1022/tcp open unknown 1023/tcp open unknown

Remote operating system guess: MacOS X 10.0.4 (Darwin V. 1.3-1.3.7 or 4P13)Uptime 0.007 days (since Thu Nov 15 15:11:50 2001)

Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds

< O.S. Guess!

How do hackers generate port How do hackers generate port scans?scans?

nmapfe

Features of TCP PacketsFeatures of TCP Packets

Sequence Numbers – what packet is this in a sequence or flow of packets?

Windows Size ‑ how many IP packets do I send at a time before requiring an acknowledgement packet?

Flags ‑ – RST ‑ set, for errors, may be used as a session “stopper”

in “active” intrusion detection.

– SYN ‑ set to synchronize sequence numbers

– ACK ‑ acknowledges data and session information

TCP A Connection Oriented ProtocolTCP A Connection Oriented Protocol

The TCP protocol for IP packets (TCP/IP) has features which enable TCP packets to keep track of – How many packets need to be sent?– How many packets have been sent?– How many packets are left to be sent?– If there is an error, which packets are needed to

be sent again?

Man in the Middle AttacksMan in the Middle Attacks

There exist TCP “session grabbing” programs, such as “Juggernaut” and “Hunt”, that if attackers are at a place on the network where they can eavesdrop both sides of the data connection, they can “intercept” one end of the conversation and “take it over.”

TCP Sequence PredictionTCP Sequence Prediction

Yes, it is possible to do what’s called TCP sequence prediction and pick up another session – even if you can’t eavesdrop.

Hunt and Juggernaut are two programs that connect to a computer, usually a server, and by interacting with it characterize the type of TCP sequence that the machine expects in connections. It then tries to “break into” another connection that machine may be having with another user.

Normally, you will detect Juggernaut, and its big brother Hunt, trying to break into established web site connections to other customers to steal personal information or identities.

EnumerationEnumeration

Objective– Promising targets are identified in more detail.

Technique– List user accounts, trusts, find IP addresses to

attack, file shares, ID apps, etc. Are campus wide directories available? LDAP?

Tools– LDAP directories, Legion, NIS, DumpACL,

sid2user, Onsite, etc.,

Address Resolution Protocol Table Address Resolution Protocol Table EntriesEntries

Address resolution protocol (ARP) is an internal table within routers that associates IP addresses to the PC’s ethernet address and also to a physical interface.

ARP Table Entries

00-0c-34-23-af-bc 128.12.43.44 intf0

00-0c-34-23-af-bc 128.12.43.44 intf0

00-0c-34-23-af-bc 128.12.43.44 intf0

00-0c-34-23-af-bc 128.12.43.44 intf1

If an attacker could get your networks ARP information they would have the “keys” to your network.

Arpwatch – Very Common In Arpwatch – Very Common In Unix Unix

Monitors the address resolution protocol as the network works to capture and send to the user (or attacker) the IP and ethernet address information of your network This can give an attacker all the specific information they need to “cull” a sheep out the herd

Firewalls DefinitionFirewalls Definition

What are they? Firewalls are network devices that pass or

drop packets based on a programmed rule set

Firewall rule sets are based on physical port, IP address, transport address (port) or other parameters

Firewalls DefinitionFirewalls Definition

Firewalls are generally categorized into three groups:

State “less”, does not maintain state or track packet history

State “full”, maintains state, is able to defragment packets

Proxy, may redirect traffic to other machines based on FW policy. Typically used to redirect e-mail through virus scanning software.

Basic Firewall PlatformsBasic Firewall Platforms

Types Packet dropping filters (stateless) –

commonly seen as access control lists (ACL’S) in routers. Cisco dominates this market.

Complex or state-full firewalls – generally seen in firewall appliances, Lucent Brick, Cisco PIX, Check Point and Nokia all have entries in this market.

Firewalls – Network BasedFirewalls – Network Based

Firewalls -- Bridge BasedFirewalls -- Bridge Based

Bridging Firewalls are BetterBridging Firewalls are Better

Why? Because routing firewalls depend on IP

address “gateways” to route packets. Any external IP addresses are subject to

attack and may limit your data when they are attacked.

Bridge based firewalls have no external IP addresses that are required to route packets and as such – do not have routing interfaces that can be attacked!

FW May Block Based On IP FW May Block Based On IP AddressAddress

FW May Block Based On Port FW May Block Based On Port AddressAddress

What Does A Basic Firewall What Does A Basic Firewall Setup Look Like?Setup Look Like?

Firewalls come in other flavorsFirewalls come in other flavors

The market is full of smart firewalls. A layer 7 or application layer firewall acts to

block packet streams from certain applications such as peer-to-peer media sharing programs like Gnutella.

These are also known as traffic shaping devices Traffic shaping firewalls can block MP3 (audio)

even if the data is using a common well known service (WKS) port such as FTP or HTTP. They detect the type of data not just the IP address and port that is being used.

Host Based FirewallsHost Based Firewalls

Excellent protection one host at a time. Software running under the operating

system Many host software firewalls also use

intrusion detection algorithms in tune with the firewall to protect the host

Commercial software such as Norton, McAfee, Black Ice Defender, and Zone Alarm dominate this market

Host Based Firewalls: Black Ice DefenderHost Based Firewalls: Black Ice Defender

Host Based Firewalls: Black Ice Host Based Firewalls: Black Ice DefenderDefender

Host Based Firewalls: NortonHost Based Firewalls: Norton

Host Based Firewalls: Tiny FirewallHost Based Firewalls: Tiny Firewall

Network Address Translation (NAT)Network Address Translation (NAT)

Firewalls that “hide” multiple IP addresses behind a single IP address!

This has the effect of confusing attackers. In particular, an “nmap –O” scan which will determine the operating system will be “all over the map” and genrally fail through NAT with multiple machines.

The NAT algorithm is easily modified to control or block inbound versus outbound connections

Network Address Translation Network Address Translation (NAT)(NAT)

FW Rule Sets ‑ ExamplesFW Rule Sets ‑ Examples

Loose (Higher Education)– Accept all, specifically deny dangerous

ports (services)

Moderate (Corporate)– Deny all except for well know services on

known machines

Tight (Defense) – Deny all except the generals to nba.com.

Sub 7 Trojan BOTH * * GI064A pass Quake and Derivatives BOTH * * GI064B pass Hack-a-Tack BOTH * * GI068A pass Sub 7 Artifact BOTH * * GI035A pass Sub 7 Trojan BOTH * * GI034B pass NetSphere Trojan BOTH * * GI064B pass SANs Russian Trojan SD423439 Host Blocks ***This one was

mine! BOTH * * GI021A pass mstream DoS attack BOTH * * GI087g pass ***Interesting port

to monitor. GNUTELLA BOTH * * GI086 pass ***Peer to peer stuff.

Season to your taste. Deep Throat Trojan Back Door SANs BOTH * * GI085 pass

GRC.COM’s IPAgent Scan (free)GRC.COM’s IPAgent Scan (free)

IPAgent is a small program that works with a server at the grc.com web site and does a quick service scan on yourInternet web address and then gives the results to you ina web page. Very cool and a good way to get a good nights Sleep.

Cryptographic Signatures for Cryptographic Signatures for Log FilesLog Files

cd /var/log

md5 * <file> > files.signed

(Results on next slide.)

What should happen to the cryptographic log signature?

Cryptographic Signatures for Cryptographic Signatures for Log FilesLog Files

MD5 (DumpACL.bmp) = 605a3a25509ae2544be6226d80f03f88 MD5 (Google on 1.2.doc) = 754ca03e3d9ebda8417a6077ca6a0d01 MD5 (L0PHTAntiSniff.bmp) = bf103290401593b6facd7348af8e8176 MD5 (L0PHTCrack3init.jpg) = 7ed453ee8e3dfb49109deb48bc3e49ad MD5 (LANguard01.bmp) = 4a5b1d9ebb705a40d692e771bd3008be MD5 (LANguard02.bmp) = 0d9e0bcac7996e5aebe194e99be6be06 MD5 (LANguard03.bmp) = 112069b54acf47e638987f02b77bd3f3 MD5 (LANguard04.bmp) = 2596984869bb792735c34ae8aa294ff2 MD5 (LANguard05.bmp) = 2b662e5ef494a4bc7aff0b983a548d46 MD5 (LANguard06.bmp) = c97ccaef49926c77fb2bc62c44f06e9b MD5 (NAISniffer.bmp) = cf0e4cbd7569718e284a71f4a7b30ef6 MD5 (SamSpade.bmp) = fb918f4fceb8b6c97c9725558324127a MD5 (SamSpade2.bmp) = 52c0d752b7dd4661466a9a01123259cf MD5 (SamSpade3.bmp) = c49ecd049e47135b481166abbf67ffb9 MD5 (inzider2.jpg) = eb0fb6b0f8df47f7c63ba7b8d15ebdfc MD5 (md5.txt) = d41d8cd98f00b204e9800998ecf8427e MD5 (netstata.txt) = 35642c009d287a329fb783b6ab1a9fbd MD5 (nmap.txt) = d663bb68fbf4a215fb9daa30f33b0aba

Firewall LogsFirewall Logs

Firewall LogsFirewall Logs

Incredible amounts of information is available from FW logs!

Napster_Sharing, 8888,"c:\xxx old drive\corel\suite8\movies\Currency.avi" Napster_Sharing,8888,"c:\xxx old drive\program files\napster\incomplete\09_The

Making of Brain Salad Surgery.mp3" Napster_Sharing,8888,"c:\xxx old drive\program files\napster\incomplete\Copy of

Bob Dylan -Like A Rolling Stone.mp3" Napster_Sharing,8888,"c:\xxx old drive\program files\napster\incomplete\

Tenacious D - With Karate Ill Kick Your Ass.mp3" Napster_Sharing,8888,"c:\xxx old drive\program files\napster\incomplete\

{Techno}Sm_Trax_-_Got_the_Groove.mp3" Napster_Sharing,8888,"c:\xxx old drive\corel\suite8\movies\Currency.avi" Napster_Sharing,8888,"c:\xxx old drive\program files\napster\incomplete\Copy of

Bob Dylan -Like A Rolling Stone.mp3" Napster_Sharing,8888,"c:\xxx old drive\program files\napster\incomplete\

Tenacious D - With Karate Ill Kick Your Ass.mp3"

Honey PotsHoney Pots

PC’s that wait for the hacker to connect. Port connection detection

– Shell Scripts that span small programs that answer in a predefined manner on popular ports typical of standard operating systems.

Operating system sensors– Psionic Port Sentry for Linux (Unix)– Windows operating system based connection

Honey pots? Honey pots?

Intrusion Detection SystemsIntrusion Detection Systems

PC’s that monitor network traffic looking for specific data packet patterns indicative of harmful network traffic such as:

Trojans: hidden remote access programs. Software viruses E‑mail subject and attachments types and content. Suspicious FTP/TFTP transfers. ssh and scp versions and session information. Peer-to‑Peer program login information. Service scans or attacks of hackers.

Intrusion Detection LoggingIntrusion Detection Logging

Event Severity LevelsEvent Severity Levels

95% Informational/False Positives– Network-wide Port Scans

4% Warning– Per host scans - but no compromise

<.1% Critical– Continuous attack from one IP address– <.01% Emergency– Successful exploit of system

Intrusion Detection SystemsIntrusion Detection Systems

Long Term: Database Queries Packet databases against which SQL queries can

answer the question: who issued a single ping in the last six months not associated with any web, e‑mail, FTP or ssh connections?

This technique is predicated on a large database comprised of suspicious packets

Can discover complex relationships over a number of months

This is a method to discover the talented or professional attackers!

Intrusion Detection MarketIntrusion Detection Market

Internet Security Systems: 71%

Axent 3%Network Associates 13%

L3 4% Others 10%

Source: IDC and ISS

Port ScansPort Scans

”nmap” is the preferred tool along with “fping” and “hping”. Src Host Src Port Dst Host Dst Port Pcol Service 212.177.241.99 3486 137.190.3.212 143 TCP imap 212.177.241.99 3487 137.190.3.212 110 TCP pop3 212.177.241.99 3488 137.190.3.212 111 TCP 6/111/3488 212.177.241.99 3489 137.190.3.212 6000 TCP x11 212.177.241.99 3490 137.190.3.212 79 TCP finger 212.177.241.99 3491 137.190.3.212 53 TCP dns 212.177.241.99 3492 137.190.3.212 31337 TCP

6/31337/3492 212.177.241.99 3493 137.190.3.212 2766 TCP 6/2766/3493

212.177.241.99 3494 137.190.3.212 139 TCP netbios-ssn

212.177.241.99 3495 137.190.3.212 25 TCP smtp 212.177.241.99 3496 137.190.3.212 21 TCP ftp 212.177.241.99 3497 137.190.3.212 22 TCP ssh 212.177.241.99 3498 137.190.3.212 1114 TCP 6/1114/3498 212.177.241.99 3499 137.190.3.212 1 TCP 6/1/3499 212.177.241.99 3500 137.190.160.2 80 TCP http 212.177.241.99 3501 137.190.160.2 23 TCP telnet 212.177.241.99 3502 137.190.160.2 143 TCP imap 212.177.241.99 3503 137.190.160.2 110 TCP pop3

Intrusion Detection System LogsIntrusion Detection System Logs

Severity (icon), Time, Attack, Intruder, Count, 1, 02/12/01 14:56:01, UDP port probe, 204.113.234.2, 6 1, 02/16/01 11:11:00, DNS port probe, 213.69.97.66, 1 2, 02/23/01 11:09:41, SNMP discovery broadcast, WS10060926, 1 1, 02/25/01 20:18:12, DNS port probe, cr644852‑a.rchrd1.on.wave.home.com, 2 2, 02/26/01 00:43:30, SNMP discovery broadcast, wsuidrive.weber.edu, 9 1, 02/26/01 11:22:42, HTTP port probe, 204.113.234.2, 5 1, 02/28/01 11:01:58, TCP port probe, 204.113.234.2, 127 2, 02/28/01 11:02:23, TCP SYN flood, 204.113.234.2, 13 2, 02/28/01 11:04:09, TCP port scan, 204.113.234.2, 59 1, 02/28/01 11:04:09, TCP port scan, 204.113.234.2, 5531 1, 02/28/01 11:04:12, UDP port probe, 204.113.234.2, 2 2, 02/28/01 11:04:12, TCP OS fingerprint, 204.113.234.2, 6 1, 02/28/01 11:04:12, TCP ACK ping, 204.113.234.2, 4 2, 02/28/01 11:04:12, NMAP OS fingerprint, 204.113.234.2, 4 2, 03/06/01 16:41:10, UDP port scan, kappa.weber.edu, 1 1, 03/07/01 10:00:00, DNS port probe, integrex.colo.magmom.net, 1 1, 03/07/01 12:23:00, FTP port probe, cr330368‑a.etob1.on.wave.home.com, 3 3, 03/14/01 13:40:09, PPTP malformed, pipeline1.weber.edu, 1

Gaining AccessGaining Access

Objective– To compile enough knowledge to choose an

informed hack/crack Technique

– Back doors, social engineering, buffer overflows, promiscuous password grabs, hacks, etc.,

Tools– Telephone, war dialing, crack, Legion,

pwdump2, bind and LPR hacks, etc.,

Gaining AccessGaining Access

The NULL session. Microsoft’s master key to any Windows box under WIN2K

Buffer overflows to known port services might do it

Buffer OverflowsBuffer Overflows

– Diagram ‑ typical buffer overflow

Mechanics of Buffer OverflowsMechanics of Buffer Overflows

Goal: Exploit buffer overflow vulnerability to perform malicious function on a target system.

Identify open port or local access is available Test the input string types and boundaries

accepted by the program Construct an input value that will perform the

malicious function when executing with the programs privileges in the hosts programs space

Execute the program so that it jumps to additional the malicious code

Buffer Overflows Fuel Network Buffer Overflows Fuel Network Based WormsBased Worms

Recent worm attacks L1on Linux worm SQL Slammer Ramen Linux Worm Code Red worm for Windows Nimda Windows worm

Windows ProcessesWindows Processes

Unix processes (ps –ex or ps Unix processes (ps –ex or ps auwx)auwx)

Inzider2 – What Your Mother Inzider2 – What Your Mother Didn’t Tell YouDidn’t Tell You

Attackers routinely bypass operating system memory and process management to hide trojan programs.

inzider2 does a brute force memory check for processes. It’s important for virus checkers to look in memory for viruses and not just on disk.

Forensic Analysis of PacketsForensic Analysis of Packets

Hackers hidden? No, the evidence is on the wire!

TCP, UDP, and ICMP packets hold numerous clues!– Sequence numbers – window size– target and source ports – IP addresses – flags and more offer an insight into your

attacker

Forensic Analysis of PacketsForensic Analysis of Packets

Lets try it! What’s going on in the following capture? Polymorphic destination and timing.

2000/03/23 08 20 00 18 OUT 192.72.120.74 204.113.223.234 ping_resp none 10 1120 2000/03/23 07 36 32 18 OUT 192.72.120.74 204.113.34.112 ping_resp none 7 784 2000/03/23 08 31 51 18 OUT 192.72.120.74 204.113.79.122 ping_resp none 9 1008 2000/03/23 07 46 15 18 OUT 195.238.2.19 204.113.86.205 1/3/3 none 6 576 2000/03/23 07 40 48 18 OUT 195.238.2.19 204.113.81.71 1/3/3 none 2 224 2000/03/23 07 32 35 18 OUT 195.238.2.19 204.113.81.71 1/3/3 none 6 672 2000/03/23 07 50 43 18 OUT 195.238.2.19 204.113.58.18 1/3/3 none 2 224 2000/03/23 07 59 27 18 OUT 195.238.2.19 204.113.58.24 1/3/3 none 6 672 2000/03/23 08 07 28 18 OUT 195.238.2.19 204.113.58.24 1/3/3 none 6 672 2000/03/23 07 32 48 18 OUT 195.238.2.19 204.113.81.71 1/3/3 none 2 224 2000/03/23 07 50 23 18 OUT 195.238.2.19 204.113.58.18 1/3/3 none 4 448 2000/03/23 07 59 40 18 OUT 195.238.2.19 204.113.58.24 1/3/3 none 2 224

Polymorphism and DistractersPolymorphism and Distracters

Polymorphic destinations, sources, and ports. What’s an IDS to do?

2000/03/30 14 21 53 2 IN 192.41.60.38 204.113.124.89 6/13643/1971 1 40 2000/03/30 14 21 54 2 IN 209.252.122.37 204.113.169.21 6/65457/47868 1 40 2000/03/30 14 21 57 2 IN 130.49.68.73 204.113.230.81 6/20443/11946 1 40 2000/03/30 14 22 04 2 IN 145.101.193.19 204.113.147.45 6/64071/7698 1 40 2000/03/30 14 22 08 2 IN 209.252.122.37 204.113.144.80 6/56431/28396 1 40 2000/03/30 14 22 11 2 IN 209.252.122.37 204.113.119.121 6/11602/9082 1 40 2000/03/30 14 22 11 2 IN 208.28.236.81 204.113.110.4 6/23201/49700 1 40 2000/03/30 14 22 17 2 IN 192.41.60.38 204.113.112.82 6/59299/63684 1 40 2000/03/30 14 22 18 2 IN 199.183.9.105 204.113.234.88 6/43377/65316 1 40 2000/03/30 14 22 19 2 IN 199.183.9.105 204.113.230.106 6/59932/28865 1 40 2000/03/30 14 22 22 2 IN 209.252.122.37 204.113.202.17 6/19822/61999 1 40 2000/03/30 14 22 22 2 IN 209.247.108.212 204.113.205.71 6/46531/28491 1 40 2000/03/30 14 22 23 2 IN 208.28.236.81 204.113.253.118 6/65448/43557 1 40 2000/03/30 14 22 24 2 IN 194.47.143.229 204.113.43.81 6/64904/14091 1 40 2000/03/30 14 22 31 2 IN 204.113.53.34 204.113.63.255 netbios gm 5 1145 2000/03/30 14 22 34 2 IN 209.247.108.212 204.113.250.115 6/8463/38040 1 40

Escalating PrivilegesEscalating Privileges

Objective– If user access - elevate to system access.

Technique– Password cracking, known exploits. Buffer overflows

in known user level programs Tools

– L0PHTcrack, john, getadmin, sechole, lc_messages, etc. Sendmail had numerous hacks to raise privilege to “root”. Getadmin is a user level program designed to raise an unprivileged user to “admin” on Windows ‘95 and ‘98

PilferingPilfering

Objective– Grab any interesting/profitable data on machine

Technique– Evaluate trusts, look for clear text passwords

Tools– cat, type, rhosts, search e-mail, LSA secrets,

user data, config files, and registry data.

Covering TracksCovering Tracks

Objective– Hide interlopers machine romp

Technique– Clear or modify logs, hide tools, install "root"

kits and trojans

Tools– zap, rm *.log, B.O., SubSeven, NetBus, etc.,

TrojansTrojans

I want to come back and show the others in my clan!

Trojans – BackOrifice, NetBus, and SubSeven.

If you find a trojan – make sure you understand how it got there!

Covering TracksCovering Tracks

Generally, but not always, a malicious exit.

Crash the server.

Password CrackingPassword Cracking

L0PHT Crack III (LC4)

Case Study Nimda WormCase Study Nimda Worm

Worm = self-replicating malicious code Discovered September 18, 2001 Derivative of Code Red worm (June 2001) Affects all Windows platforms Estimated $500 million downtime and clean

up cost in first 24 hours Unique in its variety of propagation

techniques

Intrusion Detection Hits on Intrusion Detection Hits on NIMDANIMDA

First sign - explosive TFTP activity.

Intrusion Detection Hits on Intrusion Detection Hits on NIMDANIMDA

Second sign, all the same File transferred! Admin.dll

1. Scans for vulnerable IIS Servers

2. Infects webbrowsers

3. Searches for network shares4. Emails copies to other users (ISS)

Internet

AccountingDMZ

Engineering

Desktops

Nimda Infected Server

Nimda Lessons LearnedNimda Lessons Learned

Mimics and automates attacker behavior Threats are not confined to high profile

targets There is no “silver bullet” Depth and diversity of defense is required Strong methodology is only proven way to

address complex security challenges

Nimda Lessons LearnedNimda Lessons Learned

Use patches to addressvulnerabilities

Update policy to require hardening of servers and desktops

Internet

AccountingDMZ

Engineering

Desktops

Obtain threat and vulnerability detection tools

IDS

Scanner

IDS

ReferencesReferences

Security Web Sites and Alerts Lists

http://nsi.org

http://www.cs.purdue.edu/coast/

http://www.telstra.com.au/info/security.html

http://www.nsi.org/Compsec.html

http://www.securityportal.com/

http://www.ntbugtraq.com/

http://www.icsa.net/

http://www.phrack.com/

ReferencesReferences

Security Web Sites

http://www.2600.com/

http://www.securityfocus.com/

ftp://ftp.porcupine.org/pub/security/index.html

http://www.l0pht.com/

http://www.ibiblio.org/matusiak/bkmrk.html/

ReferencesReferences

Security Vulnerabilitieshttp://xforce.iss.net/http://seclab.cs.ucdavis.edu/projects/vulnerabilities/#database/http://www.cerias.purdue.edu/coast/projects/vdb.html

http://www.rootshell.com/

ReferencesReferences

Security Toolshttp://packetstorm.securify.com/ftp://ciac.llnl.gov/pub/ciac/sectools/unix/ftp://coast.cs.purdue.edu/pub/tools/ftp://ftp.cert.org/pub/tools/ftp://ftp.win.tue.nl/pub/security/ftp://ftp.funet.fp/pub/unix/security/

ReferencesReferences

Securing Wireless Ethernet

http://c:\CISO_CDROM\Protecting 802.11b Networks.txt

ReferencesReferences

Encryptionhttp://www.gnupg.org/ - GNU Privacy Guard (pgp replacement)http://www.openssl.org/ - OpenSSL (Free SSL toolkit)http://www.pgpi.com/ - PGP (International)http://www.pgp.com/ - PGP (US)http://www.ssh.fi/ - SSH Communicaitons http://net.lut.ac.uk/psst/ - psst - gnu's ssh replacementhttp://www.ssleay.org/ - ssleay (use OpenSSL now)

ResourcesResources

Conferences

http://www.sans.org/newlook/home.php

http://www.gocsi.com/wkshop.shtml/

http://www.nsa.gov/isso/programs/coeiae/index.htm

http://www.misti.com/

http://csrc.nist.gov/ATE/

ReferencesReferences

Security Trends

http://c:\CISO_CDROM\Hack Attacks Global Concern.html

http://www.vnunet.com/News/1126993.html

http://C:\CISO_CDROM\Managing the CyberThreat.htm , Control Risks Group.

http://www.esat.kuleuven.ac.be/cosic/news-981028.html

http://www.sans.org/, See http://C:\CSO_CDROM\Threats.htm

ReferencesReferences

Security Trendshttp://www.vectec.org/researchcenter/stats.html?

category=9http://www.securitysoftwaretech.com/antisniff/

purpose.html

Software Descriptionhttp://c:\CISO_CDROM\Software

Description.html

ReferencesReferences

Covert TCP Connectionshttp://c:\CISO_CDROM\Covert.txt ; covert.tcp.tar

Firewall Informationhttp://www.linuxdoc.org/HOWTO/IP-Masquerade-

HOWTO.html

Intrusion Detection Informationhttp://www.snort.org

ReferencesReferences

Denial of Servicehttp://c:\CISO_CDROM\DoS_trends.pdfhttp://c:\CISO_CDROM\grc.txthttp://media.grc.com:8080/files/grcdos.pdfhttp:\\c:\CISO_CDROM\DDoS

//c:\CISO_CDROM\E-mail Log (raw).txthttp://www.silicondefense.com/software/snortsnarf/SMTP Body Parts

http://www.cis.ohio‑state.edu/cgi‑bin/rfc/rfc821.html

ReferencesReferences

Setting Security Standardshttp://www.gcn.com/vol19_no6/news/1564-1.html

http://csrc.nist.gov/csrc/maillist.html

http://csrc.nist.gov/csrc/standards.html

http://csrc.nist.gov/publications/nistpubs/800-7/node280.html (IEEE)

http://csrc.nist.gov/publications/nistpubs/800-7/node278.html (CCIT)

http://csrc.nist.gov/publications/nistpubs/800-7/node279.html (ECMA)

ReferencesReferences

Threats

Known Exploits and Prevention

http://ist‑it‑true.org/pt,

http://hackersplayground,

http://packetstorm.widexs.nl/exploits20.shtml

http://astalavista.box.sk.

ReferencesReferences

Daemon9, aka Route. "Project Neptune." (Phrack 48, Article 13, 1996)

Irwin, Vicki and Pomeranz, Hal. "Advanced Intrusion Detection and Packet Filtering." (SANS Network Security 99, 1999)

Newsham, Tim, and Ptacek, Tom. "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection." (Secure Networks, Inc., 1998)

Northcutt, Stephen. Network Intrusion Detection: An Analyst's Handbook. (Indianapolis, Indiana: New Riders, 1999)

Postel, Jon (ed.). "RFC 793: Transmission Control Protocol.” (Defense Advanced Research Projects Agency, 1981)

Stevens, W. Richard. TCP/IP Illustrated, Volume 1: The Protocols. (Reading, Massachusetts: Addison-Wesley, 1994)

Windows O.S. Security How To’sWindows O.S. Security How To’shttp://www.microsoft.com/technet/

itsolutions/howto/sechow.asp Get help securing your corporate

network with these step-by-step How-To guides. Windows 2000 Professional

System Security in Windows System Security in Windows 20002000

Apply Predefined Security Templates in Windows 2000 Change the Policy Settings for a Certification Authority (CA) in Windows 2000 Configure a Certificate Authority to Issue Smart Card Certificates in Windows 2000 Configure a Domain EFS Recovery Policy in Windows 2000 Configure Certificate Trust Lists in Internet Information Services 5.0 Configure Security for a Simple Network Management Protocol Service in Windows

2000 Configure Windows 2000 Server to Notify You When a Security Breach Is Being

Attempted Control Access to a Database on a Web Server in Windows 2000 Create Automatic Certificate Requests with Group Policy in Windows Define Security Templates in the Security Templates Snap-in in Windows 2000 Disable the Automatic L2TP/IPSec Policy Enforce a Remote Access Security Policy in Windows 2000

Windows 2000Windows 2000

Export Certificates in Windows 2000 Find and Clean Up Duplicate Security Identifiers with Ntdsutil in Windows 2000 Get a Certificate Signed by an Off-Network Root Authority in Windows 2000 Harden the TCP/IP Stack Against Denial of Service Attacks in Windows 2000 Install a Smart Card Reader in Windows 2000 Keep Domain Group Policies from Applying to Administrator Accounts and Selected

Users in Windows 2000 Prevent the Last Logged-On User Name from Being Displayed in Windows 2000 Publish a Certificate Revocation List in Windows 2000 Use Group Policy to Apply Security Patches in Windows 2000 Use IPSec Policy to Secure Terminal Services Communications in Windows 2000 Use the Directory Services Store Tool to Add a Non-Windows 2000 Certification

Authority (CA) to the PKI in Windows 2000 Back Up Your Encrypting File System Private Key in Windows 2000

Windows 2000 ServerWindows 2000 Server

Configure a Primary Internet Authentication Service Server on a Domain Controller

Configure Remote Access Client Account Lockout in Windows 2000 Configure Security for Files and Folders on a Network (Domain) in

Windows 2000 Monitor for Unauthorized User Access in Windows 2000 Prevent Users From Changing a Password Except When Required in

Windows 2000 Prevent Users From Submitting Alternate Logon Credentials in

Windows 2000 Restore an Encrypting File System Private Key for Encrypted Data

Recovery in Windows 2000

Windows 2000 ServerWindows 2000 Server Perform Security Planning for Internet Information Services 5.0 Configure the Security for a Server That Uses Microsoft NNTP Service in Windows

2000 Configure User and Group Access on an Intranet in Windows NT 4.0 or Windows 2000 Provide Secure Point-to-Point Communications Across the Internet in Windows 2000 Safely Connect Your Company to the Internet in Windows 2000 Set SMTP Security Options in Windows 2000 Use IPSec Monitor in Windows 2000 Deploy Enable SSL for All Customers Who Interact with Your Web Site in Internet

Information Services View or Change Authentication Methods in IIS Operate View or Change Authentication Methods in IIS Prevent Users from Accessing Unauthorized Web Sites in ISA Server Provide Internet Access Through a Firewall in Internet Security and Acceleration

Server Add an Authorized Page Warning in Windows 2000

Windows 2000 ServerWindows 2000 Server

Configure IIS 5.0 Web Site Authentication in Windows 2000 Install Imported Certificates on a Web Server in Windows 2000 Prevent Mail Relay in the IIS 5.0 SMTP Server in Windows 2000 Prevent Web Caching in Windows 2000 Secure XML Web Services with Secure Socket Layer in Windows 2000 Set Secure NTFS Permissions on IIS 5.0 Log Files and Virtual Directories in

Windows 2000 Use Internet Protocol Security to Secure Network Traffic Between Two Hosts

in Windows 2000 Use NTFS Security to Protect a Web Page Running on IIS 4.0 or 5.0

Windows XPWindows XP

Access an EFI Partition in Windows XP 64-Bit Edition Audit User Access of Files, Folders, and Printers in Windows XP Change the Logon Window and the Shutdown Preferences in Windows XP Configure a Preshared Key for Use with Layer 2 Tunneling Protocol Connections in

Windows XP Create and Disable Administrative Shares on Windows XP Delegate Security for a Printer in Windows XP Disable the Local Administrator Account in Windows Encrypt a File in Windows XP Encrypt a Folder in Windows XP Encrypt Offline Files to Secure Data in Windows XP Manage Stored User Names and Passwords on a Computer in a Domain in Windows XP Manage Stored User Names and Passwords on a Computer That Is Not in a Domain in

Windows XP Prevent a User From Running or Stopping a Scheduled Process in Windows XP Remove File Encryption in Windows XP

Windows XPWindows XP

Set Up a .NET Passport Account in Windows XP Set WMI Namespace Security in Windows XP Set, View, Change, or Remove File and Folder Permissions in Windows XP Set, View, Change, or Remove Special Permissions for Files and Folders in Windows

XP Share Access to an Encrypted File in Windows XP Turn On Remote Desktop Automatic Logon in Windows XP Use Cipher.exe to Overwrite Deleted Data in Windows Use the Autologon Feature in the Remote Desktop Connection in Windows XP Use the Group Policy Editor to Manage Local Computer Policy in Windows XP Use the Microsoft Personal Security Advisor Web Site in Windows Internet Security and Acceleration Server Configure Logging in Internet Security and Acceleration Server Set Up and Allocate Bandwidth in ISA Server Configure the ISA Server 2000 HTTP Redirector Filter in Windows 2000 Enable Reporting in Internet Security and Acceleration Server 2000 Filter ISA Server Web Proxy Cache Entries in Windows 2000

Windows XPWindows XP

Monitor Server Activity in Internet Security and Acceleration Server 2000

Securely Publish Multiple Web Sites by Using ISA Server in Windows 2000

Set Bandwidth Configuration in Microsoft Internet Security and Acceleration Server