In Configuration We Trust

There are many things IT administrators can do to protect their networks from inside threats, malware, and external adversaries, and vendors are tripping over themselves to sell the latest system designed to keep the bad guys out and data safe. eEye Digital Security?recently acquired by BeyondTrust?has released a free configuration scanning tool In Configuration We Trust (free) that can audit an environment and give a quick pass/fail overview of the network's basic security measures. The scanning tool accompanied an In Configuration We (Still) Trust research whitepaper in which the company's researchers outlined some of the best practices for how systems should be configured.

The whitepaper outlined how simple configuration changes could improve the security of the network. These recommendations could "not only help stop the run-of-the-mill drive-by attacks, but also even some of the more sophisticated, dare we say APT [advanced persistent threats] attacks," Marc Maiffret, co-founder of eEye and now BeyondTrust CTO, wrote in a blog post announcing the tool. In many cases, sophisticated attacks such as Aurora and Stuxnet could have been crippled if some simple steps had been taken, such as setting up Web proxies and implementing proper file permissions. Administrators running the configuration tool will see some of these recommendations. Others are listed in the whitepaper.

Basic Security Hygiene
The scanner is a Windows-only tool and performs checks on ten of the most common configuration issues. The accompanying whitepaper has a more detailed look at best practices for securing IT infrastructure. In order to run the tool on a Windows Server 2008 R2 machine, I first had to upgrade the .NET Framework from version 3.5 to 4.0.

The scanner checks for 10 basic things that administrators can check to make sure the environment is properly configured. They include: using digitally-signed running processes, DLL Host Services, and egress pot filtering; disabling Microsoft Office converters; downloading and installing the latest updates for the Windows operating system and Microsoft Office; removing administrator privileges from end-user accounts; disabling WebDAV; blocking direct downloads of executable files; and pushing egress traffic through a Web proxy.

The scanning tool and the checks it performs are not designed to certify the system is secure, or to prove it's insecure. The tool's stated purpose is to give administrators a starting point in deciding what they should be doing to protect the network. Thismakes a lot of sense, if you stop to consider that just disabling WebDAV and Microsoft Office document converters?both very simple steps?mitigated 20 percent of vulnerabilities in 2011.

Running the Scanner
The tool itself is small; the entire scanner is packed into a single 11MB executable file. When I launched the application, it displayed the common configuration settings that would be checked, along with a button to launch the test.

After a few minutes of running the test, the same list is displayed again, with a green checkmark or red "x" next to each item for an easy to tell pass/fail overview. The checkmark indicates the test passed, that the configuration setting complied with the accepted best practices. The "x" means there is a problem, and the administrator should fix the problem before a problem occurs.

After my test scan was completed, I could expand each item to read the details. There was a detailed description of how the test was conducted, and the actual results were displayed as well. For example, when I clicked on the Egress Port Filtering test item, I learned that it checks to see if the system can communicate with a remote server using a non-standard port. While most modern malware tend to use HTTP or HTTPS traffic, there's still a lot of malicious applications that try to exfiltrate data and receive instructions using non-standard ports. By blocking outbound traffic on these ports, administrators can block all malicious traffic.

On my test system, I failed this test. It would have been nice if the description of the failure was as detailed as the description of the test. The result just said it detected traffic on non-standard ports, but didn't say which port. I didn't realize until I read the description that the test looked only at port 3486. It would have been helpful to indicate the port number.

The scanner is not designed to be a full audit tool, so it's not supposed to provide a full list of ports that are open. It's supposed to be a starting point. Thanks to the tool, IT administrators now know that at least one non-standard port is open, and it's up to them to find all the open ports and close them as necessary. Still, I'm sure most admins would prefer to get a nice list telling them which ports are open, instead of having to go digging around to find them.

Another test I failed was the fact that the user account I was logged in as had administrator privileges. I was also not using a Web proxy to filter all network communication. My computer passed for having up-to-date versions of Microsoft Office and Windows operating system.

Audit, Then Follow Recommendations
Considering that adversaries are crafting their attacks to bypass common configurations, taking advantage of default settings, and sneak past commonly used security software, taking the extra step to customize the way the network is configured and close potential holes? can significantly improve security without spending a lot of money on fancy software and appliances. While configuration settings would never replace firewalls and Web gateways, they can prevent malware from gaining administrator privileges just by compromising an end-user account.

The In Configuration We Trust audit tool helps administrators start thinking about ways to close off holes that could be exploited by attackers. The accompanying whitepaper goes into greater detail and offer practical recommendations on protecting against high-profile threats. In Configuration We Trust is a powerful tool that should be part of every IT administrator's security arsenal.

More Networking Reviews:

??? In Configuration We Trust
??? Co3 Systems
??? PhishGuru
??? Pwn Plug
??? iSimplyConnect (for iPad)
?? more

foo fighters nikki minaj grammys album of the year nicki minaj grammy red carpet grammy award winners