Main

T.O.C.

Part 1
Defining
Managing
Securing
Auditing
Training

Part 2
Overview
Gen. Sec.
LAN Sec.
Peri. Sec.

Part 3
Checklist
Sec. Pol.
Pwd Pol.
Budgets

Glossary

Biblio.

Local Area Network Security

Password Security

Undoubtedly, the least expensive and most important aspect of network security is the use of appropriate passwords. Password protection is inherent in various aspects of the network:

• Administrative access to server functions

• Workstation access to various files and services (such as the Internet)

• Administrative access to network hubs, switches, routers, and firewalls

• Access to administrative files, such as confidential personnel files or reports

Yet, given its importance as a foundational aspect of network security, ironically it is often the least emphasized. Password security includes the following facets: selection, documentation, and enforcement. Creating and implementing a password policy is the first step in developing password security (a sample password policy is included in Part III). The policy will outline the rules about creating good passwords, called strong passwords in most security documents: the minimum number of characters to be used, what types of characters, how often the password needs to be changed, and others aspects of password usage. Here are the checklist items related to password security:

• Develop written password policy and provide to all staff and patrons using specific user logons

• Develop written instructions in creating strong passwords and provide to all staff and patrons using specific user logons

• Document passwords for all network equipment, servers, and workstations

• Store password documentation in secure location known only by library director and one other person

In addition to developing the policy, it is important to develop training materials for your staff. If your library provides user-specific accounts for your patrons, the training materials should also be distributed to your patrons. Make sure all administrative passwords are written down (yes, write them down, but not on post-it notes stuck to your monitor!). Just like the keys to locked storage, the passwords need to be stored in a secure location known only by the library director and one other staff member.

Hardware Security

Hardware security is a convenient category used to classify miscellaneous items related to your computer and network hardware. The first set of items relate to the BIOS (the Basic Input/Output System) of your servers and workstations. The BIOS is a well-known feature on all Intel/AMD PC-compatible servers and workstations. It performs basic tests of internal components to be sure they are working satisfactorily. It also stores and manages the configuration of many of the parts inside the CPU case.

• BIOS: workstation: boot order, set primary hard drive first

• BIOS: server (locked staff only access): boot order, set floppy drive first

• BIOS: server (when locked staff-only access is not possible): boot order, set primary hard drive first

• BIOS: workstations: supervisor password set

• BIOS: servers: if servers can restart automatically with supervisor password set, set one (otherwise, leave with no password)

• BIOS: all: anti-virus protection enabled

• BIOS: public workstations: floppy drive(s) disabled if AUP specifies no patron access to floppy disks

• BIOS: servers: (when locked staff-only access is not possible): disable floppy drive

• BIOS: public workstations: setup message hidden/disabled, if option available

• BIOS: all: record setup configuration parameters

  return to top

  When a computer is working satisfactorily in a controlled environment—such as that locked computer room mentioned earlier—there is little need to worry about protecting BIOS settings. However, anywhere patrons have access to computers, even momentary access to them, there is a need to secure the BIOS settings. Obviously on public workstations BIOS security is a necessity. There is also a need to secure the settings on a server if it’s located in a place where there is a possibility that a patron may gain access to it. Secured BIOS settings can easily be accessed by an administrator when needed for maintenance or reconfiguration.

  The previous settings prevent the computer from being booted to a floppy disk that a patron might bring in—preventing the patron from having complete control of the system. They also prevent most of the mischief patrons may cause by making changes to the proper BIOS settings, such as removing the hard drive configuration.

  • Servers and workstations: use small padlocks to secure case covers

  • Public workstations (or all computers in a very insecure environment): secure CPU, monitor, keyboard, and mouse to table/desk with hardware security cables/devices

  The danger of theft is a security risk with one of the highest negative impacts on network services in a public library (a lightning strike is another). A small investment in time and money greatly reduces the risk of many types of theft. A small padlock or other device will prevent patrons from removing case covers from computers and taking RAM modules or other internal components. (Some libraries enclose the CPU case in a lockable cabinet, eliminating the need for locks.) Vendors are available that supply steel cable systems to protect CPUs, monitors, keyboards, and mice from theft.

  • All servers: protect with UPS (400va or higher), preferably having auto shutdown software

  • Network equipment (hubs or switches) with UPS (250va or higher)

  • Router/firewall: protect with UPS (250va or higher)

  Data integrity is a concern when a server loses power. In addition to data corruption, there are other power concerns for networks. If the power goes off, circulation cannot be conducted and home-based users cannot use a web-based library catalog. [Note: if multiple servers are connected to one UPS, it should be rated at no less than 700va, and probably higher.] This configuration ensures small power interruptions will not disable critical services. For servers, be sure to load software enabling communication between Windows NT/2000 and the UPS. The software automatically shuts down the server in the event of a power failure, protecting data integrity.

  Workstation Security

  Although sometimes treated as a separate topic, properly securing workstations is a very important part of the overall network security in a library. There are a large number of configuration issues to address when securing workstations. Using the Windows NT Workstation/2000 Professional operating system provides a better security foundation than does Windows 98. Those libraries using Windows 98 on public workstations are highly encouraged to install special software to secure many of the workstation functions.

  • Configure NT Workstation/2000 Professional partitions with NTFS file systems

  Windows NT/2000, unlike Windows 98, includes a feature known as file system security. (An operating system’s file system is the structure it uses to store data and program files, and includes two types of objects: files and folders—folders are also called directories.) A secure file system is one in which an administrator can configure any file or folder so only specified users can view or use those files and programs. The administrator controls access by associating specific user accounts with individual files and folders and assigning permissions to each account. The general permissions include the ability to read, write to, or execute a file or folder. A user with no read, write, or execute permission cannot access a file or folder.

  In order to take advantage of this built-in security, the library must be sure the workstations are configured with the native NT file system (called NTFS) rather than the alternative, the older Windows 95/98 file system (called FAT or VFAT). Previous conventional wisdom indicated that the boot partition (known as drive C to most of us), ought to be formatted as FAT, but this is no longer true.

  • Disable boot keys on Windows 95/98 workstations

  Boot keys are only available in Windows 3.1/95/98. They are not available in Windows Me or Windows NT/2000. They allow the user to interrupt, or escape from, the normal Windows start-up sequence. Since they allow unrestricted access to the command prompt (the old "DOS prompt," C:\>), they provide too much opportunity for patrons to tinker with the system—perhaps even to reformat the hard drive. Utilities and manual instructions are available to disable these keys.

  • Configure workstations with private IP addresses (LAN-wide recommendation), either static or dynamic (through DHCP)

  An IP address is a numeric address used for each computer connected to the Internet. IP addresses have the form 210.130.74.190. Each number in the four-number set can range from 0 to 255. However, not all such addresses may be used on the Internet (e.g., 192.168.1.200). Certain ranges of IP addresses have been reserved as private IP addresses and may be used only on local area networks.

  Computers configured with private IP addresses must use a "translator". This device would convert the private IP addresses into data packets that could travel from the local area network to the Internet. Because private IP addresses cannot be used on the Internet, using them locally provides a small measure of protection against attackers trying to break into computers from the Internet.

  Many routers, firewalls, and proxy servers provide this translation service, called network address translation (or NAT). Unless there is a reason not to, using private IP addresses for all workstations and servers on the local area network is recommended in the security checklist.

  • Require logon at each workstation

  • Disable display of previous user name on logon screen

  • If individual patron accounts are implemented, develop a written password policy with training documentation for patrons to follow

  As mentioned earlier, one of the foundational elements of network security is a password-protected user logon. In libraries, public access is usually controlled by a generic user account, such as "patron". In this case, the password is practically irrelevant and may be empty. These accounts are created to control access but make network resources easily available. All other users should have accounts secured by strong passwords, as defined in the library’s password policy.

  To maximize the security of the network in a public environment, system policies (part of a Windows NT/2000 and Windows 98 utility called the Windows System Policy Editor) should be used to force a logon. In Windows 98, if this option is not configured, users can get past a logon screen by pressing the Escape key. It’s also possible to configure a system policy setting hiding the previous user’s name when the logon window is displayed. This should be the default for all public workstations.

  If the library uses separate accounts for each patron (rwilliams might be mine, for instance), all patrons should be trained to adhere to the library’s password policy. A training brochure will help.

  • Install Windows System Policy Editor or third-party software to restrict access and secure desktop/shell

  • Restrict command line/shell access

  • Restrict access to hard drive (consistent with terms for downloading/saving files specified in AUP)

  In most libraries, the System Policy Editor, in combination with the built-in file system security provided by Windows NT/2000, provides enough strength to adequately secure public workstations (the Gates Library Foundation computers are configured this way). Windows 98 does not provide the same level of security. Libraries using Windows 98 for public workstations are encouraged to purchase public access computer security software (also called workstation security software). In some cases, the library may find this software more beneficial than the System Policy Editor. These two options provide a means of restricting user access to desktop features such as wallpaper, desktop icons, Start menu items, the screensaver, and more.

  These utilities can also be used to restrict access to other system features. In particular, users should never have access to a command line (C:\>). The library’s AUP will determine whether public users may save files on a workstation hard drive. According to this policy, the Windows NT/2000 file system or public access security software should be configured to deny write access (saving) to all folders or permit write access only to designated folders on the hard drive.

  • Secure web browser against mischief and privacy violations

  • Install software to restrict access to system functions within Windows applications

  Several options, including workstation security software and an alternate browser called Public Web Browser (a specially designed version of Internet Explorer 5.5), allow the library to secure the web browser used on public workstations so that certain features cannot be accessed. Restricting access keeps users from seeing sites viewed by previous users and from changing other settings, like the default home page. Some public access security software (WinSelect Kiosk and Fortres Grand’s Cooler) also makes it possible to limit access to menu items and buttons in some Windows applications and to protect access to system files allowed by "back doors" programmed into some applications. If the library is using Netscape Navigator as its public access web browser, this type of software is highly recommended to protect browser settings.

  • Remove unnecessary/unused files/programs from hard drive

  • Remove the Network Monitor Agent from public workstations, if installed

  • Schedule procedure to periodically remove all user files if file downloading/saving is permitted in the acceptable use policy; also remove unneeded "cookies"

  Removing files that are not appropriate for use on a public workstation is another foundational aspect of security. In particular there are several system files that should be removed, such as format.com. The Network Monitor Agent (a packet analysis program that, if used by the public, may allow users to see private information of other users as it is transmitted across the network) should also be removed from a public access workstation if it has been installed inadvertently. Limiting a patron’s access to just those programs she needs to use the workstation as intended will also limit security flaws introduced through other programs or utilities.

  Related to this issue, if patrons may save files on the hard drive, regular maintenance should be scheduled to erase all stored files. Also scan the web browser cookies that may be saved with patron use, and remove any that are unneeded for information sites. This reduces the risk of disclosing of personal information.

  • Install and maintain anti-virus software on all workstations

  • Update virus signatures on regular schedule (at least once every two weeks)

  • Upgrade anti-virus software to support scanning of floppy diskette, e-mail, and Internet file downloads, if necessary

  Anti-virus software should be installed on all (or licensed for access from a server by all) workstations, staff and public. The software needs to be regularly updated, as well. There are two components to anti-virus software, the "signatures" (programming code strings) that identify a virus, and the main software, which uses the signatures in examining files on a hard drive for the possible presence of a virus. The virus signatures should be updated on a regular basis—once a week or twice a month at the least. The anti-virus software should be upgraded as new versions (with more features) are released. Some libraries may choose to skip a version and upgrade with every other major version release.

  • Implement secure registry settings to secure desktop/operating system settings

  • Document software and security settings for future use in configuring new workstations

  In addition to the settings available through the System Policy Editor, it is also possible to edit a database of operating system settings called the registry to further enhance security. In future versions of this document I will provide a specific list of registry keys and values that should be set on your public and staff workstations.

  Once your workstations are secure, all of the selected settings (in the System Policy Editor and in the registry itself) should be documented. In the event of a hardware failure where the operating system must be reinstalled, having all the settings documented will make restoration of the security a simpler process. Store the documentation in a secure (controlled) place, such as the library director’s file cabinet.

  • Schedule periodic download and installation of operating system patches

  • Create and maintain current Emergency Repair Disks, and store in a controlled location

  • Implement paper log to record maintenance problems and patron misuse of workstation

  • File all workstation component documentation (papers/manuals/disks) for use by service technicians

  Windows NT/2000 and Windows 98, including their updates, are tremendously complex programs. Bugs and settings that threaten security are discovered regularly. Microsoft releases small file "fixes" as quickly as possible when such problems are reported. These releases are called patches to the operating system. Therefore, it is imperative that all workstations have appropriate patches applied on a regular basis. Also, an Emergency Repair Disk may be invaluable if a computer’s registry is corrupted or some other system problem occurs. Whenever settings are altered or new software is installed, it is important to create a new Emergency Repair Disk. As mentioned previously, these need to be stored in a locked case in a staff-only area.

  The last two items are not as much security-related items as timesaving measures. Keeping a paper log of problems on a computer may help a paid technician diagnose future problems and minimize the repair bill. Having all current documentation for the components of a particular workstation may also minimize the time required for a tech to diagnose and resolve a problem.

  return to top

  LAN/Domain Server Security

  This document assumes the use of Windows NT/2000 as the library’s server operating system. Obviously, in larger environments the automation system may require the use of another operating system. Some of the items below will not apply at all in those cases, and some may need to be "translated" into terminology used in the alternative system.

  In most small library local area networks, there will be one or two servers: a main server, usually a domain controller under Windows NT/2000, which verifies the logins of all users, and a file server used with the library automation system. In some libraries, these two services are combined on one server. It is possible to operate in a very small environment with just Windows NT Workstation/2000 Professional-based computers and no server at all, but it is more difficult to maintain security in this environment. So this base level of security assumes the presence of at least one server. The following items are needed to secure the local area network servers in the library (with the exception of a web server, which has its own configuration settings presented in Chapter 9).

  • Configure all NT Server partitions with NTFS file systems

  • Configure separate operating system and data partitions (both NTFS)

  • Mirror server drives (or implement RAID), if funding allows, for redundancy

  These two items are similar to the settings for workstations. Best practice now dictates that all partitions (that show up as distinct drives in the Explorer window) be formatted with the NTFS file system. On a server, that idea is expanded to include a separation of the operating system files and all other programs and user data installed on the server. Separating these so they are located on different "drives" (drives C and D, for example) makes it a bit faster to perform backups, easier to secure sensitive operating system files, and less likely that applying patches and Service Packs (updates to the operating system) will affect other files on the system.

  Mirroring hard drives provides an exact duplicate of everything on a server’s hard drive. This can be an important feature if the server hard drive fails. Mirrored systems automatically switch to use of the secondary drive while the first is being replaced. This redundancy provides a way to keep a service operational even when there is a hard drive failure. One might call this service security. While they are advantageous, mirrored systems do add significant cost to a server. (RAID is a more sophisticated approach that offers similar functionality.)

  • Configure servers with private IP addresses (LAN-wide recommendation)

  This item is repeated from workstation configuration. If private IP addresses are used on the workstations, they need to be used on local servers as well to keep the network configuration simple (this does not necessarily apply to web servers used to provide web pages to Internet users).

  • Remove unnecessary services

  • Remove unnecessary files/programs

  Many security holes in server operating systems are discovered as users attempt to do things they "shouldn’t do." Current security wisdom indicates services not used on a server should be removed from the server. This limits a user’s opportunity to do what he shouldn’t do. For example, on a typical library file server, if no web documents are available on the server to share across the local network, then the Internet Information Server (IIS) service should be removed (turned off). Leaving it running presents an unnecessary opportunity for someone to break through the server’s normal security and have complete access to the server.

  By the same logic, system files that allow reformatting the hard drive (and other such utilities) should be removed from the server hard drive. They can be copied onto a floppy drive for use by administrators when needed. In the event that an attacker does break through your security, there will be no utility available to help him reformat your drive! Also, if a program is no longer being used on the server, go ahead and uninstall it so that it presents no unintended threats later on.

  • Configure file system with proper file/folder access permissions

  As mentioned under workstation security, all the files and folders on the server hard drive can be assigned permissions so that only specified users can read or write to files, or open folders or execute programs. On the server it is especially important to limit what users can access.

  • Restrict access to the Network Monitor Agent

  This agent is a packet analysis tool, which potentially allows a user to view the contents of all the data flowing across the network. It can be a valuable tool for a network administrator. However, extra care should be taken to secure the file so unauthorized users do not gain access to it.

  • Disable anonymous user logons

  • Disable caching of user logons

  • Configure account policy to restrict unauthorized logon attempts

  • Create logon warning message (a warning against unauthorized logon or access and use of restricted resources)

  As mentioned earlier, the primary means of restricting access to sensitive files on a network is through user logons (requiring a user to supply a user name and password). The password becomes the key to securing the entire system. In addition to using strong passwords, and requiring users on each workstation to log on, the items above add more security on the server side of the connection. First, disable the "anonymous" user, where someone leaves the username and password fields blank and clicks "Logon". Logon information, like most other network data, can be stored temporarily in a place called a cache. In most library environments, workstations and the server should be configured to disable this process.

  Also, make sure there is a limit placed on the number of logon attempts made before the account is locked out for some specified time. Three is a good limit. This keeps attackers from using unrestricted blocks of time trying to guess passwords.

  Last, due to court cases involving unauthorized access to networks, many security consultants now advise the use of a posted warning against unauthorized use of the network. Windows NT/2000 provides a generic logon warning that can be edited for use in your library. One example of such a banner is the warning notice defined by the Department of Energy’s classified order 5639.6A-1:

• Create alternative Administrators group and restrict membership

• Restrict privileges of default Administrators group

• Create alternative Administrator account (with new name) with full privileges

• Disable default Administrator account

• Configure auditing of Administrator account logon attempts (to track hacking attempts)

• Set a strong password for current administrator account

• Use different passwords for domain/server accounts than for local workstation accounts, or use different account names

• Restrict access permissions for the Everyone group

• Disable Guest account if enabled

• Create appropriate user and group accounts (minimum of three groups: Patrons, Staff, and Administrators)

• Set appropriate group access permissions

• Set appropriate user account passwords (password for PatronX account(s) may be simple or empty)

• Encrypt the SAM password database

This lengthy list applies to the main concepts of user control in any operating system: user accounts, group accounts, and the password file. Your library may assign a user account to each staff member, temporary accounts to contracted technical workers, and individual accounts to patrons. (Most libraries have chosen to allow patron access only through a generic patron account, one account used by all patrons.) These form natural groups of users. So the operating system allows the formation of group accounts as well. Individual users can then be assigned to one or more group accounts. Then it’s easy to manage access to all files and folders by controlling just the access that each group has. It keeps the administrator from having to assign permissions to the file system for each individual account. It also ensures a uniform application of permissions.

One note here is that creating a new administrator account and keeping the default "Administrator" account allows easy monitoring of logon attempts to the default account. Since many people know this account exists, it is often the target of attacks. If an attacker can successfully logon as the Administrator, he will have complete control of the server. By keeping the account, but disabling it, it’s possible to monitor all logon attempts and deal with potential attacks in their early stages.

• Configure Remote Access Service security, if applicable

Most libraries won’t provide any type of dial-in access to the network through the server, so we don’t cover security of the Remote Access Service in this document. Libraries that do allow dial-in access, to staff or patrons, need to review other security documents to be sure their network is as secure as possible. This, too, is a popular point of attack if it’s available.

• Set/Create registry entries/values for proper security

• Document software and security settings for future use in reconfiguring servers

As mentioned in the workstation security section, the registry holds many different configuration settings for programs installed on the computer. There are many settings which should be set: disabling the Netware DLL Trojan horse capability (assuming Novell Netware is not used on your network), restricting remote access to the registry, restricting access to "named pipes" and to the Scheduler, blocking the 8.3 DOS naming convention attack. There are others. It is imperative that you document for future reference any decisions your library makes regarding specific registry settings.

• Configure audit logs to track unauthorized access to files/folders/accounts; restrict access to log files

• Develop and implement procedure for monitoring audit logs

With Windows NT/2000 it’s possible to track, or audit, all types of access to system resources, even to track all access attempts on a certain file, folder, or account. Server usage that you’ve chosen to audit is recorded in an audit log. Auditing needs to be configured (especially for sensitive areas like accessing the Administrator account or attempts to run restricted programs) for many areas, but creating the logs is useless unless staff reviews them. Develop the discipline of regularly reviewing server logs. This responsibility should be assigned to a specific person to be conducted at specific intervals (e.g., daily or weekly).

• Install software for the server’s UPS that automatically shuts down the server

Be sure to install software that allows the UPS (to which the server is connected) to communicate with the server when a power problem occurs. The communication may include a command to shut the server down if battery power is low. This protects the integrity of data being written to the server’s hard drive.

• Implement procedures for file backups according to backup plan

• Restrict access to backup program

• Maintain backup log and auditing

• Rotate one backup set offsite regularly

Backing up, while not a normal network security issue, does goes to the heart of network security: protecting data from loss or corruption. Only a specified individual or two should have access to the backup software, so unauthorized persons cannot restore sensitive data from a previous backup. Good discipline requires backups to be performed regularly and that one person be responsible for the backup procedures and maintenance of backup logs. To protect data stored on a server against theft, rotate one set of backup media offsite (out of the library) regularly. (What could be worse than going through the rigors of backing up regularly only to have both server and backup media stolen?) Be sure all backup media, the offsite set as well, is secured properly. This may include putting the media in a lockable container and securing the key in a controlled location.

• Schedule periodic download and installation of operating system patches

• Create and maintain current Emergency Repair Disks, and store in a controlled location

• Implement paper log to record maintenance problems, attempts at unauthorized access, and other server problems

• File all server component documentation (papers/ manuals/disks) for use by service technicians

Even more than with workstations, it is vitally important to update the server operating system on a regular basis by installing patches and Service Packs as Microsoft makes them available. Doing so will greatly reduce your risk of attack. Use the same paper log for servers as for workstations to document problems and repairs, attacks, and other anomalies related to servers. And keep the server’s documentation available for any service technician that may need it.

Network Equipment Security

Network equipment refers to all the devices required to get data signals from one computer to another. Generally, these include hubs, switches, routers, and firewalls. Bridges may be included in older designs. The following items apply to all these devices. A separate section is devoted to other issues related to routers and firewalls.

Libraries should be purchasing network equipment that provides management capabilities. This provides the possibility of remote management of the network even if the library does not contract for that service initially.

• Set appropriate network management protocol (SNMP) passwords/community strings

• Record and secure any password settings created by staff or contractors

These two items minimize the risk of network equipment configurations being altered by unauthorized personnel. When the library hires a vendor to install and configure network equipment, be sure to document all passwords used to secure the equipment. More than one installation has been performed where the vendor did not disclose equipment passwords. When the library chose to change vendors for maintenance of the network, the passwords were unknown, and the time required to reconfigure the equipment multiplied. The disclosure of passwords used in the installation or configuration should be included in the terms of any contract for any paid installation and configuration services. The library must have the right to change vendors without incurring great expense to do so.

On the other hand, it is the library’s responsibility to secure these passwords by documenting them and storing the documentation in a secure (preferably locked) location.

• Configure audit logs properly, if available

• Implement procedure for monitoring audit logs

If the equipment provides logs of activity, make sure the logs are configured securely—accessible only by authorized personnel. If the library will be doing its own network maintenance, make it part of the installation contract for the vendor to train staff, or at least provide a demonstration to staff, in monitoring and maintaining the logs provided through the equipment.

• Schedule periodic installation of firmware updates

Just like operating systems on a server or workstation, the firmware that provides the functionality of "intelligent hubs," switches, and bridges may get updated, especially when bugs are discovered. A regular routine to check for firmware updates needs to be implemented to maintain the proper operation and security of the equipment.

• Document equipment settings for future use in reconfiguring equipment

Be sure to document all settings in the installed configuration of the equipment once the installation is complete. Make an electronic copy of the configuration file, if possible. Also, update the documentation whenever a change is made to the configuration. Record any decisions or justification used in making the change. Two years later it may be difficult or impossible to remember why something was done a certain way!

• File all network equipment documentation (papers/ manuals/disks) for use by service technicians

The same here as in servers and workstations. Storing documentation in an organized fashion cannot be overemphasized, because it can result in great reduction of the time and frustration required maintaining equipment.

return to top

Continue to Perimeter Security