Checking Out NT Security

• 06/23/1999

Hands On: Harris Corp.’s Stat Security Scanner

If there is one thing that keeps network administrators on their toes, it’s their never-ending concerns over security aboard their NT systems. As a result, numerous products have entered the market that promise to automate everything from security analysis to intrusion detection.

Harris Corp.’s Electronic Systems Division fields an analysis tool called Stat, which scans each NT server it finds, whether it is installed as a standalone server or a member of a domain. It will provide an exhaustive check of each server to find weaknesses and misconfigurations that leave a machine open to potential intrusion.

Many of the opportunities for intrusion into an NT Server can be simple -- some you may never have thought were an issue.

For testing, we used a Microsoft Windows NT Server 4.0 with Service Pack 4 installed, running on a dual-processor Pentium 200 with 256 MB of memory. We extended the test bed to include a Microsoft Exchange Server 5.0 and two Internet Information Server 3.0 Web servers. These servers were on a switched 100 Mbps fiber optic Ethernet backbone system sporting Cisco 2820 and 2916-XL switches along with an IP-routed segment.

Stat is provided on a CD-ROM, including the documentation that installs as an online help file. The product itself installs in only a few minutes as a service on the main machine. It consumes little memory and uses server resources efficiently. One requirement to note is that it does require NT 4.0 and SP3 or higher.

We tested Stat on our standalone Web server first, then within the domain itself. We knew from past experience that default NT permissions and settings typically leave a server open to many forms of intrusion. Still, what we found was scary!

The most basic reason for deploying a server is to share files and resources between users. When shares are created, and permissions are correctly assigned, administrators feel that the server is safe. Stat identified shares as a security risk because administrator controls can be replicated or sniffed to learn usernames and passwords. Stat is correct in classifying shares as a risk, but sharing files is a normal requirement for NT systems. It was easy to see where a Stat user could get network functionality confused with operational or security issues.

Despite having the best of intentions, security managers can accidentally overlook some of the most basic issues, including password retention, length of passwords and disabling the Guest account. Stat not only helps evaluate these parameters but also goes one step further in demonstrating how to effectively lock down the server or domain.

Stat collects this information through a series of tests designed to try and set up NT server in accordance with C2 security compliance, as specified by the Department of Defense’s Red Book description of a secure system.

One powerful feature of Stat is that you can update the product over the Internet. Harris releases updates to Stat on its Web site, which means you can keep your scanner updated as often as Harris updates the product.

Since you may not want to be reminded every day that shares pose a security risk, you can edit the definition files for each category of scanned items, removing topics that you don’t want identified. If you do remove one of these options, however, future users of the scanner may not know that critical items are no longer being scanned. When you remove any item in the scan list, there’s no warning or help highlighting the ramifications of what you might be doing.

We would like to see Harris include a small introduction to the product in paper form. At present, all help and instructional material is found in the online help files, which are complete and clear. But new users of security products may not use Stat effectively if they are not aware of the basic risks associated with NT Server security.

The only other negative we found with Stat was the lack of information in the "specific info" section of each scanned item. Some items provided detailed information; others were completely blank. If Stat found that a particular function -- such as user rights -- to be blank, then it would be nice for Stat to report what it found.

Overall, Stat is an excellent product well suited to securing NT-based networks. We found it to be smooth, well-polished and a joy to use. We researched the findings of Stat and found them to have solid recommendations. Stat would be a valuable security tool in any network.

Harris Corp.
Melbourne, Fla.
(888)725-7828
www.harris.com
Price: $2,995 for one seat of an unrestricted administrative license, including 6 month subscription service updates.

+ Help files complete and useful
+ Updates available over Web
+ Well-polished, easy-to-use product

- No warning when scanning features are disabled
- Some scanned items return blank dialog boxes when no information is available to present