ePlace
Home
Problems
Solutions
- Sample Setup
- Wingate Security
- Local Security
- Applications
- Line Tests
- Security Tests
- Wingate 3.0 FAQ
- Wingate 4 FAQ
Links
Forums
Add Your URL
Disclaimer

Other Languages

email

Local Security

• The Wingate partial solution does not protect the  Proxy Server. 

• These actions were used to secure the Proxy Server PC: 

• Actions applicable to most operating systems.
• Actions applicable to Windows NT.  Some actions outlined here may apply to other OS's.
• Using WIndows NT to monitor security  

The solutions outlined are dependent on the specific configuration of each in-house LAN and network services.  They are applicable to the configuration outlined in the Sample Setup and may or may not be applicable to other configurations.

The Wingate Proxy Server (V3.x or less) provided only a partial solution to the security problem.  Access to client machines was blocked, but the PC with the cable modem and the Wingate proxy server remained  visible on the Neighborhood Network.  Wingate technical support writes:

"WinGate is not going to be able to block the WinGate machine itself from the Internet as that machine has an Internet connection physically, then WinGate, then your internal network connection. So, WinGate will block all connection attempts from the Internet from getting through to your internal network. What is happening here is that someone on the Internet is trying to connect to the WinGate machine itself, not through to your internal network machines. WinGate unfortunately is not going to be able to block this. Unfortunately, the machine with the Internet connection will always be vulnerable, there really isn’t much you can do about that, beyond disconnecting it from the Internet.

"However, there are, I am sure, some more security measures that can be taken on the WinGate machine itself, through your Operating system that will guard against this type of attack. I would start by making sure that TCP/IP is the only protocol bound to the Cable Modem connection, then make sure that file and printer sharing is NOT enabled for TCP/IP. Beyond that, I am sure you can get more information on securing your computer against Internet attack from Microsoft directly."

Note:  Additional security protection for the Wingate Proxy maching has been added in V4.x.

Back to top

Actions applicable to most operating systems

1. Disable default NT "Guest" Username.
2. Confirm that non-common passwords are on every user account.  Consider non-common user names also.
3. The Administrator Account cannot be disabled.  Change the name.  Add a password.  A utility in the Microsoft NT Server 4.0 Resource Kit, PASSPROP.EXE, can enable account lockout for remote logons that use the Administrator Account but not for interactive logons.
4. Be careful with permissions.  Do not use Guests, Everyone or other unauthenticated users.  The Everyone group contains people you don't know: Guests, if the account is enabled, and users from other "trusted" domains.  It is indeed better to set up permissions with "Domain Users" or even "Authenticated Users". Everyone is a wide-open special group that you have very little control over.
5. Disable file/printer sharing for TCP/IP.
6. When file sharing is necessary, restrict scope and time available.  Turn off when not necessary.
7. See next section for other important information.
8. For additional information see WindowNT Magazine, October 1998, pp 117-158.  

Back to top

Actions Applicable to Windows NT.  The primary objective in these steps to hide the domain/workgroup icon from other ISP users.  

Step 1. It was found that any single one of the following four actions causes all domain/workgroup icons except the local domain to be hidden in the local Network Neighborhood.  (It was subsequently confirmed that these actions also caused the in-house domain icon to be invisible to other users of the ISP's LAN.)

1. Stop or disable the Server Service in Control Settings > Services applet; or
2. Stop or disable the Computer Browser in Control Settings > Services applet; or
3. Disable Cable Modem NIC binding in Network Properties > Bindings > Server > WINS Client (TCP.IP), or
4. Disable Cable Modem NIC binding in Network Properties > Bindings > Workstation > WINS Client (TCP.IP).

Disabling the Server Service also disables the local LAN. The other three methods have no side effects that have been noticed in the defined configuration.

Step 2.  NT runs a number of services that are not usually needed. Most non-commercial installations do not require any network protocols except TCP/IP.

All unneeded bindings in NetworkProperties|Bindings were disabled.

The final configuration involved resetting NT Network services and properties as follows.

1. Disable the Computer Browser in Control Settings > Services applet
2. Disable Cable Modem NIC bindings in ALL entries in Network Properties > Bindings
3. Disable Remote Access WAN wrapper bindings in ALL entries in Network Properties > Bindings
4. Disable Remote Access Server Service in Network > Properties > Bindings

It is understood that the the existence of domain/workgroup computers is identified by datagram Browser Announcements.

It appears that the Computer Browser detects incoming Announcements. Apparently these incoming Browser Announcements are intercepted by each of the first four items mentioned above.

The origin of locally generated announcements has not been fully traced, but this source is also apparently aborted on the ISP LAN since the ISP has reported that the domain/workgroup icon is no longer visible.  No new intruders have been identified since these actions were taken.

Related information on Securing WIndows NT can be found at Phoneboy.

Back to top

Since Windows NT was used on the server, it was also possible to monitor site access attempts by intruders with the Event Viewer. 

To activate the Security Event Viewer in Windows NT, use the User Manager to specify Audit Policies.

Failed logon attempt events continued to be found in the security log. 

The following is an example of the Windows NT security log output where:

LOCAL DOMAIN NAME = Local domain name
INTRUDER USER NAME = name entered by intruder in password logon dialog
INTRUDER DOMAIN NAME = Intruder's domain name appearing in
Neighborhood Network EntireNetwork > Microsoft Windows Network
INTRUDER WORKSTATION NAME = Intruder's workstation name

mo/day/98    00:19:05    Security     Failure Audit    Logon/Logoff      529    NT AUTHORITY\SYSTEM    LOCAL DOMAIN NAME    Logon Failure:
    Reason:        Unknown user name or bad password
    User Name:     INTRUDER USER NAME
    Domain:       INTRUDER DOMAIN NAME
    Logon Type:    3
    Logon Process:    KSecDD
    Authentication Package:     MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name:    \\INTRUDER WORKSTATION NAME

Back to top

Last Updated July 29, 2002 10:22:39 PM