Small companies and small divisions of larger organisations often try to provide complete business functionality -- e-mail, Web presence, domain-based network -- with limited resources. When you come across client setups like the two I'll describe here, encourage the client to get back to basics and eliminate vulnerabilities created when networks aren't segmented correctly. Different organisations, same problem
A division of state government and a regional office of an internationally recognised philanthropic organisation wouldn't seem to have much in common. However, both organisations used a single internal Windows server -- one NT, the other Windows 2000 -- to act as a domain controller and Internet mail server, due to limited budgets. One of the organisations also used the server to host its public Web site. This configuration violates a basic tenet of network security: appropriately segmented assets and services. Since their servers were domain controllers, the organisations placed them on their internal network and provided the servers with external IP addresses to allow mail and Internet access. Both organisations also had nonfirewalled connections to their respective parent organisations' networks. The state government hired our company, CQUR IT, after the Web site was defaced several times. They had also detected inappropriate access and nonauthorised security changes on the domain controller, including deletion of security logs. The philanthropic organisation engaged us for the IT security elements of a financial audit, during which we learned that they suspected that their network-attached PBX had been hacked. Two other "unexplainable" incidents had necessitated two complete rebuilds of the domain controller in the previous three months, causing the irreparable loss of critical organisational data. Know who is at the door before you answer
Whenever we find an organisation with a domain controller assigned external IP addresses, usually for Web or e-mail access, it raises a red flag. This configuration is often a sign that the organisation doesn't have an overall awareness of security best practices and usually indicates more significant security concerns. Our initial step for both organisations was to scan the mail servers using Nmap and SuperScan. We were extremely concerned by the high number of open ports, including TCP port 139. The NETBIOS standard allows a significant amount of information to be gathered via port 139, even if the domain controller doesn't authenticate the user. (This vulnerability is well documented; a good discussion is included in the well-regarded text Hacking Exposed.) One way the vulnerability can be easily exploited is with a tool used by security professionals and hackers alike: NBTEnum (Net Bios Enumeration). The scrubbed example of the output we gathered from one of the organisations illustrates the rich amount of information about a system, including all local groups/users, global groups/users, shares, and password policy information (including account lockout thresholds) that can be gathered. Once a malicious external user has access to this information, it makes it significantly easier to gain inappropriate access to the network.