Remote Access Services
Open Doors for Crackers
Copyright (C) 10/1997 by Howard FuhsContent:
RAS and the Computer Underground
Introduction
Network operating systems offer many practical and very useful Remote Access Services. Carelessly configured, RAS is simply an open invitation to strangers to enter and have a good look around the corporate servers.
In the course of corporate computerisation it is possible to identify some trends over the past few years. First, the corporate computers were tied into networks.
Then the server was kept running all night instead of being switched off when people left work, and a remote access route was provided to employees who travelled or worked flexible hours. This added the benefit that sales staff were able to access the computer system from hotels or customer sites to access the information they needed to do their work. However, what was aimed a remote workers also served crackers and industrial spies equally well.
RAS and the Computer Underground
The increasing use and expansion of Remote Access Services on corporate servers triggered the attention of the computer underground. A wide range of tools can now be found on the Internet with the purpose of assisting the cracker with attacks through RAS services. These mainly help crackers to fetch password files or to obtain administrator rights.Toll-Free Numbers
So as to enable the company to be billed when a remote worker logs onto the corporate network by means of RAS rather than the employee, many companies have taken steps to introduce toll-free numbers on their RAS lines.This introduces two types of risks.
Firstly, the computer underground produce lists of interesting toll-free numbers on a more or less regular basis. These lists specify the character of each individual number, e.g. modem/computer, fax, telecommunications equipment offering added value services or voice.
The production of such lists is done automatically overnight by using a war dialler to dial all toll-free numbers. After all, this is a no-cost proposition! Because of the existence of such lists knowledge of a potentially interesting RAS line is rapidly distributed globally.
The second risk is also inherent to the fact that these numbers can be called free of charge to the caller. This allows a cracker all the time in the world to crack entry codes and passwords, and once these have been obtained to spend as much time as he wishes to use the systems behind the server for his own purposes. Don't forget that most crackers have no money and lots of time.
Companies that wish to offer RAS via a toll-free number should employ an IT Security professional to make sure the RAS configuration is secure and correct, perhaps even perform penetration testing. Furthermore log-on attempts should be logged and either regularly studied for signs of attacks or fitted with an intrusion alarm. Finally, installation of third-party software to improve the security of RAS should be considered.
Default Configurations
Most often the network operating system and RAS are initially installed in their default configuration. This standard configuration comes preconfigured by the manufacturer of the network operating system. They offer the benefit of users being able to start working without further adjustments to the system being required. They make it easy. In fact, too easy to be safe. The crackers obviously know about these things and look for productive installations that still use default settings. The reason is that the default settings offer an attacker security holes and attack avenues not present in a correctly configured installation.The Administrator Account
Almost all network systems include as a default an administrator account will full access permissions. This makes the administrator account a very attractive target for all crackers. Take the case of Windows NT, for example. Here, the default administrator account user name is Administrator. At installation time this account still does not necessarily have a password. In most cases this deficiency is quickly remedied, whereas many sysadmins do not bother to change the actual user name of the account. The reduces the attacker's work to discovering a password for the user account Administrator rather than having to fist find a valid account name and afterwards a password that will let him through.At this stage we encounter a further vulnerability. Because the Administrator account is required to operate the system it can not be shut down, not even in cases where an incorrect password has been input numerous times. In theory this provides the attacker with an unlimited number of attempts to arrive at the corrrect password for the administrator account which will give him unbounded power over the system.
The Guest Account
During installation of e.g. Windows NT Server, a Guest account is automatically established. On the NT this account has very limited permissions. lt does, however, offer an attacker an avenue into the system if it is not switched off. Once inside the system further avenues of attack may be explored. lf a Guest account is not absolutely necessary it should be removed.
Lost/Stolen Notebooks
To make life easier for users RAS systems often allow the client software to store user name and password on hard disk, not to mention the dialup Telephone number. Within a security framework storing access passwords together with client software must of course be prohibited. The practice allows whoever steals the notebook to log directly into the corporate network without any knowledge of access name or password.
RAS Security Concepts
Companies who wish to establish RAS should not do so without first designing a proper security concept to control the RAS application. This normally includes obtaining professional advice from a IT security specialist. Furthermore, RAS security must be audited and tested on a recurring basis to make certain it stays up to date and remains effective. In the framework of RAS security it is also necessary to consider whether RAS access should be limited to a single server, or if further network access should be allowed, in case of an NT network a RAS implementation must in other words be carefully evaluated in view of the domain trust relationships effective in the network.
Copyright (C) 10/1997 by Howard Fuhs