Amazing Stories of Network Admin Peter Pan Syndrome
We’ve been doing a lot of security work lately. I think anyone who works as a
contractor must be doing security work, because there seems to be so much of it
out there, and so little of everything else. If you’re not doing security work
now, you should think about getting into it, as it’s a very interesting
What’s really amazing about this work is the level of carelessness applied to
the security configuration of most networks. It’s like a entire legion of Peter
Pan’s woke up and decided they would become network administrators and
They assume the world is a nice, safe and friendly place made just for them.
Sort of like the people who drive 10 feet behind you while moving at 70MPH and
who assume the fairy godmother is going to take care of them and never require
them to stop suddenly.
Let’s look at a couple of the Peter Pan’s I’ve run into lately.
I Don’t Need No Stinkin’ Passwords!
The cornerstone of network security is access control. On most networks we
use passwords for access control. Newer networks may have implemented other
methods of access control such as Smart Card and biometric authentication. But
the beginning of access control always begins with some method to identify the
We were asked to evaluate the security infrastructure of a small company of
about 200 users. The small companies are fun because you can really get an idea
of how things work on an atomic basis. You can get to each server and talk to
every user. You get the real lowdown on how things work in the joint.
What did we find? Check this out:
* All user machines were running Windows NT 4.0 Workstation
* All servers were running Windows 2000 Server
* The Administrator password on all workstations was “password”
* The Administrator password on the servers was computer’s name
* The Guest account, for some reason, on the Windows 2000 servers was enabled
and had an empty password
* Five users had modems connected to their desktops. The password used to
connect to the corporate ISP accounts were, you guessed it, password.
* Account policies were set so that users could never change their passwords.
User passwords were the same as their employee number
* No account lockout policy was set (why would you need to?)
Pretty amazing stuff! Is it any wonder that they called us in to do a
security audit? The reason we were there was to determine why they’ve had a few
“security incidents” in the last month. It didn’t take a rocket scientist to
figure out why. I asked to talk to the network admin. It turned out he was a guy
who came in once a week to check out problems and implement any new stuff they
wanted. I asked him about this abysmal password situation. He said that the
users refused to remember complex passwords. What about the admin passwords? He
said that he didn’t think anyone would try to access the administrator accounts,
so he wanted to make sure that he wouldn’t forget the admin password, especially
since he only comes in once a week. It seemed to work well for him, because he
did the same thing at every site he worked at!
See what I mean about Peter Pan? What’s with this “assuming that no one
would try to access the Administrator account”? I bet this guy was the one
tailgating me on my way to the appointment to his site. His attitude toward
security certainly pointed to a belief in magical forces taking care of his
Firewall Gurus ‘R Us
I was called out on a case of bandwidth abuse. This company had a T1 link to
the Internet and they found the link was saturated around the clock. From my
matchbook cover calculations, that works about to be about 24 GB a day (YMMV).
The users on the corporate network weren’t able to get any work done over the
Internet because of the pipe saturation.
When I got there I fired up NetMon and pointed to the external interface.
Wowsa! The counters were going wild. What was really interesting about the
traffic was that there were a ton of incoming HTTP requests from IP addresses
not owned by the company. (the company had no published an Web services) The
machine was running a popular firewall. I asked the Firewall admin about how the
firewall was configured. He gave me the
* The firewall was configured to accept incoming VPN client requests
* The firewall was configured to accept incoming proxy requests on the
Internet connected interface
* There were no access controls on who could connect to the proxy listener on
the Internet interface of the firewall This is rich! I sat my fresh-faced,
ever-so-confident firewall guru in front of the computer and asked him to open
up Internet Explorer. Then I asked him to go to www.alltheweb.com and type in
the IP address of the Internet interface of his Firewall/Proxy machine. Bingo!
About a 500 hits all with the words “anonymous proxy” associated with it.
I asked him why he created an open anonymous proxy for the entire hacker/warezer
world to use. He explained to me that his VPN users couldn’t access the Web
while they were connected to the VPN. He tried to configure their browsers to
use the LAN interface of the proxy to access the Web, but it didn’t work. So, he
decided to create the anonymous proxy interface and tell his users to use the
anonymous proxy to access the Web. He didn’t think he needed access control on
the proxy listener, since only people in his company would know about it.
I explained to this guy that there were three facts in life:
* There is no fairy godmother
* If you tailgate long enough, your brains will someday be spilled on the
pavement and horseflies will light upon them
* There is no such thing as security through obscurity We got him fixed up by
calling the ISP and having his IP address changed. Then he whacked the external
proxy listener and configured the VPN clients to properly use the LAN interface
for their web proxy.
We use to have a running joke in my medical school. If asked a question that
we didn’t know the answer to, we would say “I don’t know the answer to that
question. I’m proud to say that I don’t know the answer to that question and I’m
proud to say that I am in a place that I can be proud to say that I don’t know
the answer to that question”. The point being that if we didn’t know what was
going on, we knew we could ask somebody that did before we killed someone with
If you don’t know what you doing, ask someone to review your design. If you
think you know what you’re doing, ask someone to review your design. The world
of Microsoft networking has completely changed from the open LAN concept to an
Internet fortress model. You’ve got to change with the times, or end up as
tailgating roadkill on the Internet superhighway.
Thomas W. Shinder, M.D., MCSE
Win2k Insider Newsletter
Questions? Comments? Visit the Win2k Insider Forum! http://boards.cramsession.com/boards/vbt.asp?b=781