Recently in Network administration Category

Is the security for real?

Do you keep the security level high enough?

The question seems simple. But if the answer is positive, the next answer will be "What is high enough?"

The security camera on the photo is a mock-up. An imitation, used to deter possible criminals. It doesn't watch anything, even if it's installed. Are your security systems for real, is the monitoring you perform for real? The answer is not obvious, even if you have installed a network monitoring software piece and know exactly, what to monitor.

Nowadays, it's not enough to monitor the servers alone, whatever services on them you watch. The fact the service is available and replies with expected data doesn't mean it's in good state.

For example, if the pieces of software installed is of old version and can be compromised, the security is weak. So monitoring vital system themselves is not enough.

Hidden flaws of security

The problem of using insecure software isn't limited with insecure, out-of-date functions. At times less secure configuration can be a possible reason of system malfunction of failure. How to determine there are flaws in configuration?

The two aspects of problem have no fully automated solution. Several pieces of software do have a mailing list or other means to notify of out-of-date components or security threats. Most, however, do not. The only means to be in course of events is to follow all the news on security-related forums and software sites and react immediately to every new threat published.

Talking of studying log files, it's relatively easy to detect how much time a given string is found in a given log file (say, ssh log file registers all login attempts, so if anything strange happens, it's better to be notified as soon as possible).

Also, a good advice is to install intrusion detection piece of software such as Snort, update its rules on a regular basis and use its notification features to measure the security risk level and/or signal alerts.

Monitoring software may be the dashboard of all your security setup; it's relatively easy to report all the important news to the single command centre and raise a relevant alert condition when necessary.

Security isn't a one-time set of action. It's philosophy, discipline and everyday, routing work on researching the security world and being alerted prior to the possible flaws are exploited.

Reinventing the wheel

Simpler solutions aren't always obvious. When looking for a way to monitor a parameter, one is always tempted to re-invent the wheel, e.g. to create a custom script every time the exiting monitor types are not supported.

Definitely, it's not the best idea. First of all, it takers time. Second, it might be an inefficient solution. Third, it might be non-portable: if you wish to cerate the same monitor type for another host, you might have to create a similar script from scratch.

When it comes to monitoring the simplest parameters of the server, such as CPU load, memory usage and so on, there is no need to create a complex scheme of running remote scripts/applications and reporting data back to the monitor.

The magic abbreviation is SNMP, Simple Network Management Protocols. Let's explain, briefly, how it can be used to monitor a number of system-level parameters of a server. A Linux-powered server is assumed, although in this given case most of other operating system can be monitored through the same facility.

SNMP

SNMP daemon isn't running by default; refer to longer how-tos such as Monitoring server performance for more details on installing the daemon.

Take care when setting up the daemon: it can support a number of protocols; if you don't wish to handle security-relate issues when using version 3of SNMP, you may use v1 or v2c, but keep in mind their security level is but basic, and if you don't restrict, by other means, who is granted access to the daemon (restrict to localhost, if monitoring from the same server), you are virtually giving all the important data to whoever wish to gain unauthorized access to the server.

Try to restrict access to read-only, there is hardly need to grant write access to monitoring software.

It's easy to find the OIDs (object identifiers) of the data you wish to monitor; i.e., to allow viewing general system information such as RAM usage, grant access to .1.3.6.1.4.1 hierarchy.

Most of the data you could use are numeric; thus, the SNMP-based monitors available at IP Host Network Monitor software can be used to create very precise monitors able to reflect the level of resource usage without creating sever-based scripts and communicating with them.

Write access

Note that certain variables (OIDs) can be writable, thus allowing to control, to some extent, the device your monitoring software is  connected to via SNMP.

Note only that SNMP is supported by many devices, such as routers, and it can be used, say, to programmatically restrict or even close access to them/set usage limits base upon parameters being monitored. Say, you can restrict or limit transfer speed for ethernet cards if a data transferred cross a limit. However, it is strongly advised that the network monitoring software does never modify any device's settings it monitors.

Standard tools in non-standard situations

Monitoring tools like IPHost Network Monitor provide a set of built-in monitor types to handle most routine tasks.

They are sufficient to handle the majority of monitoring needs; it is often necessary to make sure a given type of service is accessible without actual checking.

However, a number of tasks may require something, not present in the distribution. What is the beat approach in such a case

A real-life example: you would like to monitor users' inbox sizes and warn them, if those inboxes grow too large.

One of approaches could be to make a script that ssh's to the mail server, runs 'ls' program at a given mailbox and returns its size in whatever units required.

However, if mail inbox directory can be accessed as a network share, the task could be solved using built-in file size monitor type. Moreover, if the monitor is named after the mailbox user's part, the alert can be built in such a manner so that it could notify the mailbox' owner of the quota limit trespassed.

The wheel reinvented

There can be several solutions to a problem. For example, to check a given user's presence at a site we could analyse that user's profile page and look for a text pattern.

However, it would mean we stress not only the database the data are taken from, but a Web server as well. When monitoring a site it is often a good idea not to overwhelm the site with monitoring itself. Too fast loading Web pages may create an unnecessary stress on the site.

The above task could be solved by a slightly different means: monitoring a SQL database. If a proper SQL query is constructed, its first column returned is interpreted as a performance value. Thus, most of SQL-driven sites activity may be monitored just by creating the correct SQL query, able to return a numeric result.

To sum up: when monitoring task may be solved by checking files size, result of a SQL query, string found in HTTP(S) response - it's better to solve the task in that manner.

Custom scripts can be used when a task, not easily reduced to the cases above, must be solved. E.g., when a file of a given size, modification time and access permissions must be present in a known location.

And, finally, a good suggestion: if you are using a monitoring tool and failed to solve a task by available means, it's always worth contacting the developer(s) and suggesting a new monitor type.

How often could you encounter a network monitoring task when built-in means of the monitoring tool you are using aren't enough?

Secure surfing

A concept of individual security on the Net includes secure surfing. To use proxies is not enough: your ISP still has the power to monitor all your activity and record your traffic, especially if you use your provider's DNS servers.

VPN, or virtual private network, is a network based upon an existing network; all the traffic through VPN is «invisible» — encrypted, made indecipherable. VPN services are used by many corporation, since these networks proivide high level of internet security when used properly.

There are many VPN products and services, both open source and commercial. Notorious open source OpenVPN is one of the most popular solution in case you do care about secure access to the resources of your private network (intranet), or to any standalone server's resources.

However, you can use VPN services free of charge, to make Internet surfing more secure.

Beyond hiding one's traffic from prying eyes, VPN can serve other needs. For example, it can allow accessing otherwise restricted or blocked sites (yes, Internet has places blocked for certain people).

Free VPN services

There are several VPN services offering free usage. I think ItsHidden and UltraVPN. Both offer clients to access their networks; however, one can use other VPN clients to connect. such as Shrew Soft.

Although, for example, ItsHidden doe s not provide a Linux client, any existing PPP client, such as pptp, may be used.

After you create an account at a VPN service, install client and connect, all your traffic starts to come though a safer path. At least it can't be directly watched by ISP or any 3-rd parties en route.

It's not too hard to find other free and/or commercial VPN services; if the ones mentioned do noy satisfy your needs.

Security is a state of mind

Security, talking of Internet security, is a complex thing. It can't be reduced to a single one-time action.

If you plan to surf securely, you should take the following into account:

• cookies: if you accept them, your privacy may be jeopardized; the best way is to not store any cookies
• JavaScript or other scripting language) may break your privacy and report a number of private data to the site; disable JavaScript for better security
• Java and/or any other active content may as well report your real-life data to the server; disable for better security
• your public identity, such as using email address you are using on «insecure» sites may help to decipher your identity and disrupt privacy altogether

Thus, safer surfing means less convenient interface, many a sites' functions not available.

«Convenience, security, reliability — choose any two».

It may be necessary to find quickly all the locked-out user accounts. The Saved Queries feature available in Windows Server 2003 and above can be the most convenient tool to achieve that.

At the Active Directory Users and Computers console right-click on Saved Queries and select new query creation. You will need to specify the query root (where in the namespace to start searching). You will need to use custom search, since there are no standard queries to fulfill your task. AT the Advanced tab and enter the following query string:

(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))

Click OK twice to create and run the saved query. Note that the mentioned query requires at least Windows Server 2003 SP1.

There's an alternate query to try to achieve the same:
 
(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

When permissions do not work as expected, it might be necessary to check what groups a user belongs to. Groups are usually used to make the permissions control simpler. Thus, especially in large environments, it could be necessary to have a list of all the groups the user belongs to.

There's no obvious means to do that. To browse the members of a chosen group, especially y if there are many membersin it, can be quite tedious. Especiallyif there are many groups. What's worse, if your domain works under Windows 2003 or in forest functional level, groups can be nested, thus complicating the task even more.

However, there's a simple way: log in as the user, open a command prompt and type
whoami /groups
That will report all the groups the current user belongs to, including special ones like Everyone.

There's a pitfall, though: if the suer belongs to a distribution group, the output of the above command may be incomplete: whoami doesn't display groups nested within distribution groups. Thus, the practical piece of advice is: do not nest distribution groups within security groups, since that can complicate access rights troubleshooting.

Roaming profiles should only be used, when a user can indeed login and work at several workstations. They can be mostly problems rather than solutions; there are few suggestions, however, that could make roaming profiles management much easier:

1. Do not set too strict disk quotas for users with roaming profiles. Profiles tend to grow and the user can easily lose important information. Forcing users to cleanup their profiles is also a good practice, otherwise your domain conrtoller will end up transferring a lot of fiels not  required for regular work.

2. Encrypted File System (EFS) is incompatible with roaming profiles. Do not store them on such a system.

3. Make sure users have only full control over their own roaming profiles. You can also use the trick of adding dollar sign to share name to make the share invisible to users browsing the network neighborhood.

4. Make sure the profiles are stored on NTFS-like filesystem. All its extended features are important to make roaming profiles work smoothly.

5. Offline Folder Caching should not be applied to roaming profile shared directories. The synchronization will most probably fail, leading to unpredictable results.

When remote desktop is enabled, it's possible to use many a capability the console provides, as if you were sitting at a real console. However, when this is disabled, the situation looks hopeless.

In order to enable remote desktop, one should already have a desktop open.

However, WMI (Windows Management Instrumentation) allows to solve that, if the computer you need remote desktop allowed to, is available in the intranet.

At the command prompt of another Windows computer, type

wmic /node:server_name rdtoggle WHERE server_name="computername" CALL SetAllowTSConnections 1

(wmic is WMI console command-line utility). "computername" should be replaced with host name of the computer (as seen in network neighborhood)

In many domain-controlled environments, especially in large companies, "dormant" (unused" user accounts may start to appear. Such accounts' activity should be well-monitored, but first they should be found out.

The simplest way is to use the standard 'dsquery' command-line utility to filter out users by a given criteria. For example, the command

dsquery computer -inactive NumberOfWeeks

where NumberOfWeeks is an integer value. The above example will list all the users that haven't logged in for the specified time interval.

Note that the above assumes you're using Windows Server 2003-level environment. If yours still has Windows 2000 computers in it, or is running in mixed-mode functional level, try this command instead:

dsquery computer -stalepwd NumberOfDays

Certain Windows services may misbehave and can hung (respond no longer). It may be quite tricky to determine the actual service state.

A Windows service may be in one of four states:
SERVICE_STOPPED
SERVICE_START_PENDING
SERVICE_RUNNING
SERVICE_STOP_PENDING

When a service is stopped, its state through services.msc control panel applet
and from net.exe command will both report it as stopped. When it's running,
they both will report it as running. However, when a service is in a pending state,
it will be reported as running as well.

The solution is to use sc.exe from Resource Kit and use its query syntax to determine the
actual service state, i.e.

sc.exe query servicename

It will return the true service state. Also, the sc.exe can be used to control, create,
modify or delete service, as well, thus providing all the necessary interface in command-line mode. IPHost Network Monitor.