Monday, July 14, 2008

Black Hat Thyself - SBS 2003 (book excerpt)

g'day mates - I am harry brelsford, the author of Windows Small Business Server 2003 Best PRactices (the infamous purple book). I amposting up a few pages per day of this book until SBS 2008 ships for all of us SMB consultants, SBSers, and Microsoft Small Business Specialists (SBSC). Enjoy the read!
Today I speak towards black htting thyself including packet sniffing!
Harry Brelsford, ceo at smb nation,
Black Hat Thyself
So, you think you’re an SBS security hot shot? Perhaps you are. One way to validate whether you’re “hot or not” is to black hat yourself on the inside and outside. That’ll tell you exactly how super you are. In a nutshell, you’d download a port scanner such as GFI’s LANGuard Network Security Scanner ( and run it against yourself. Figure 5-13 shows how such a scan on the internal LAN might look (revealing tons of information) and Figure 5-14 shows how such a scan might look when run over the Internet, showing only the ports you opened via the EICW. (Talk about a great way to validate your work!)
Figure 5-13
Black hattin’ on the inside.
Visit for the latest updates for any Microsoft product.
Figure 5-14
Black hattin’ on the outside.
BEST PRACTICE: Perform this activity on each SBS network you work on (even if it’s only one). Hopefully, you won’t be too surprised by the outcome (in general, SBSers don’t like to be surprised in this area). If you’re a consultant, share the outcome of this black hat exercise with your clients.
Packet Sniffing
Talk about an MCSE-level exercise that works for us SBSers as well: packet sniffing. Here you would install the Network Monitor tool that is native to the underlying Windows Server 2003 operating system, but not installed by default, and then sniff around. To install the tool, perform the following procedure:
1 Log on as Administrator on SPRINGERS1 (password is Husky9999!).
2 Click Start, Control Panel, Add or Remove Programs.
3 Select Add/Remove Windows Components.

1 Select Management and Monitoring Tools in the Windows Com­ponents Wizard.
2 Select Network Monitor Tools and click OK.
3 Click Next.
4 Insert Disc #1 when requested.

8. Click Finish. In Figure 5-15, you can see what the results of a packet sniffing session might look like. This tool can be used to troubleshoot network problems (such as logon problems) and to search for rogue devices (such as another server running network monitoring on your network without your knowledge).
Figure 5-15
The three-finger salute of TCP/IP session establishment is shown here in a Network Monitor session. Look closely at the source and destination address columns (packets 31-33).
BEST PRACTICE: I used this tool once in early 2003 to investigate whether Microsoft automatic update sessions were actually going out into the ether. A client, a well-known Seattle-based author (not me!),
Visit for the latest updates for any Microsoft product.
believed said updates where going to an offshore site not controlled by Microsoft. The packet analysis facilitated by the Network Monitor tool showed the fears were unfounded. The client then rested easy and allowed his workstation to be automatically updated. I kinda felt like one of the central characters in an old US movie called Ghosbusters and Network Monitor was my tool!
Spam Blocking
Spam blocking fits in the security chapter as well. The malady of “spam” is well known to readers of this book as unwanted e-mail traffic. In fact, the perception of excessive spam on an SBS 2003 network can create unwarranted criticism about SBS 2003 itself, which just isn’t fair.
Spam blocking can be divided into two discussion areas: content filtering and attachment blocking.
Content Filtering
I’ve enjoyed great success using the GFI’s MailEssentials spam blocking program, which more than anything else flexes its muscles in the content filtering department. For example, e-mails with the word “Viagra” are treated as spam and processed accordingly, which might include deletion, move to another folder, etc. MailEssentials is shown in Figure 5-16.
Figure 5-16
Meet MailEssentials from GFI. Note that this product is very aggressive out of the box and will sometimes go too far, filtering out legitimate messages.
BEST PRACTICE: Because of the false positives and positive negatives in the world of filtering junk e-mails, the oft-cited security author Roberta Bragg insists that I tell you to send filtered mail to a junk mailbox, instead of deleting it! Right on, Roberta!
Another way to easily engage in a form of content filtering is to utilize the junk mail feature in Outlook 2003. This is a MAJOR IMPROVEMENT in Outlook 2003 and is discussed in Chapter 6.
Attachment Blocking
Of course, the simplest way to invoke attachment blocking is to complete the 15th page of the EICW titled “Remove E-mail Attachments.” I’ll discuss that more in Chapter 6 when you and I look deeper at Exchange Server 2003.
But meet GFI’s MailEssentials once again. Assuming you own this application for its effectiveness in the content filtering area, then consider using it as your attachment blocking tool.
Visit for the latest updates for any Microsoft product.
BEST PRACTICE: The above statement raises the question about which attachment types to block if you’re using a third party tool such as MailEssentials. This list is easily created by looking at and copying the list from the Remove E-mail Attachments page in the EICW.
And yet another attachment blocking tool is contained within Outlook 2003 itself. Since I don’t want to spill the beans on Chapter 6 yet, I’ll wait to discuss it there. Similarly, you can use the SMTP application filter in ISA Server 2000 to engage in both content filtering and attachment blocking (discussed in Chapter 13).
BEST PRACTICE: I only cite GFI’s spam fighting tool because I know it. The infamous Stu at Sunbelt Software in Tampa FL ( markets effective spam blocking tools (“I Hate Spam”) that deserve your purchasing consideration. The SBS-related newsgroups are also a source of information for third-party spam fighting applications (see Appendix A for this information).
Virus Protection
So, would you consider virus protection a germane security topic? You betcha! I’ll discuss this much more in Chapter 11 with some step-by-step procedures using Trend Micro’s OfficeScan suite solution, but I’d be remiss to have a security chapter without emphasizing the importance of virus protection as part of your comprehensive approach to security on your SBS 2003 network.
BEST PRACTICE: I’ll say it here and again later on. Virus protection
is only valid when the data files are up-to-date. More later.
If you want to be humbled in a hurry, download the spyware detection applications from Install its SpyWatch and SpyWare Remover programs and then, when no one is your witness, run these programs. You might be shocked to see what’s been camping out on your SBS network without your knowledge. Thanks to a student from the Louisville, KY hands-on lab for that tip! Many apparently harmless Web sites accessed by your users are
Visit for additional SMB and SBS book, newsletter and conference resources.
really implementing click counters and other spyware nasties. One of the all time greats (or “worsts”) was Gator. An instructor with whom I’ve previously worked on another tour had actually worked for Gator during the dot-com boom and he sends his profound apologies!
FTP Site Notification
And now from the hallowed halls of the Harvard Law School! Did you know that if you dig deep enough into the legal treatise of USA jurisprudence system, you’ll find that long ago, a hacker got off the hook because an FTP site at a company said “Welcome!” Apparently the hacker claimed that he felt invited in to poke around and destroy things. The legal lesson learned here? Prevention! Make the introductory screen of your FTP site say “Authorized Users Only!” or something just as strong.

No comments: