Help in passing a penetration test

[Guest]

Hi,
I would really appreciate some help, and recommendations on defeating a
penetration test a security firm has plan for our network. The following has
already been done.
1. Anonymous access restricted on servers except the primary Windows 2000
DC
2. Null sessions blocked from WAN to LAN on firewall (port 139 and 445 and
135)
3. All Windows 2000 servers up-to-date with Service Packs and hotfixes
4. Baseline Security Analyzer ran and implemented on all servers.
5. I plan to set NoLMHash registry value on DCs.

Can anyone tell me how to block telnet access from a firewall, and from
switches, and what are the possible negative ramifications of doing so?
What security tips can be implemented on switches?
And am I right track, and what is missing from my above list?

Thanks very much
Hope.

PS all servers are windows 2000

 

[Roger Abell]

telnet uses tcp port 23

You should use the hardening guidance. For W2k servers
http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/default.mspx


But you should also see items in the the Products and Technologies
and the Additional Resources lists at bottom of
http://www.microsoft.com/technet/security/default.mspx

Some of what you have listed does not accomplish much if
the client machines are left untouched. A pen test will leverage
what cracks can be found, whether that be a weak client machine,
a gapping whole in a DC config, a poorly written web application,
etc.. You need to harden the whole, as security is only as good as
the weakest link.

 

[Enno Lenze]

Beside all the technical stuff:
Teach your staff. A high secure compute is useless, if the password ist
under the keyboard, and stuff like that.

For the firewall:
Block all ports, and then start opening the ports you really need. If
you want to pen-test yourserlf: www.nessus.org, a really good tool.

regards, enno

 

[C Hall]

Hope,

The commands to block telnet access on the firewall depend on what type of
fw you use. If someone is doing a pen test, it's likely from the outside, so
you should be primarily concerned with the gateway (router and/or firewall).
While this is out of the scope of this newsgroup, here's an example:

telnet w.x.y.z 1.2.3.4 inside

W.X.Y.Z represents your internal network or a specific internal address that
you want to have access to the fw. 1.2.3.4 is the mask that you use for your
network and inside is the INSIDE interface. By default, a firewall will deny
all traffic and you should use access lists to allow traffic that you want
to receive (e.g. port 80, 21, 53). If you're using Cisco products, you'll
find their newsgroups very helpful.

One book I've found to be immensely helpful in understanding security is the
Hacking Exposed books. Personally, I'd view the company that's been hired to
do this test as a tool to be used to help improve vs. a foe to be fought.

Good luck,
Chris

 

[Steven L Umbach]

I would consider disabling storage of lm hashes on all your servers also so
that the local administrator account can not be cracked so easily if
physical access can be gained and of course physical security is very
important. Lm hashes remain until the user changes their password. Your
firewall should be blocking netbios and telnet [from the wan] already. A
firewall should block all access by default and then you create the
authorized exceptions - if any. The same should be done for outbound access.
You should test your firewall yourself from the outside. Any network
adapters connected directly to the internet should have file and print
sharing disabled. Enforcing password complexity is a must. MBSA check for
only the weakest passwords. Keep in mind that by default shares created on
W2K computers give full control to everyone. Even though not written for
Windows 2000 the Threat and Countermeasure Guide is a good read. --- Steve

http://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch00.mspx

 

[Steve Riley [MSFT]]

Yes, good pen testers will start by trying to hack your people, because
sometimes this is so much easier than hacking a computer.

Steve Riley
(e-mail address removed)

 

[Karl Levinson, mvp]

Penetration tests are expensive wastes of money if you haven't already
reasonably and fully secured your network [and know how to do so on your
own]

Pen tests aren't pass or fail. No doubt something will be found, probably a
lot of stuff. The pen test report should tell you how you might better pass
the next one, if there is a next one. The trick to getting your money's
worth from a pen test IMHO is to know how to have your network fairly secure
first, so that the

There is a wide variety of network vulnerability assessment scanning
software out there, such as Nessus, which can be run on a free Knoppix-STD
boot CD, or get a free Windows version called NeWT from
www.tenablesecurity.com [a firm that includes the author of Nessus].
Running a scan might be helpful, although it might be too late to beat the
test, or too late to make network changes with adequate testing. Just be
careful when scanning to not accidentally bring down your systems, lock out
user accounts or swamp the network with traffic. Read the manual and scan a
few test systems first or run scans after hours.

If you're not using telnet, you should disable it on your switches. And you
shouldn't be using telnet if you can help it at all. Log into your switches
using whatever switch management procedures you use and follow the
instructions to disable it.