Gateway to the Corporation

by Russ Rogers - 11/18/00

Internet technology has completely consumed the corporate world. Companies can reach many more consumers via the Internet than via conventional means. However, as the corporate world embraces this wonderful opportunity, there needs to be an understanding of the security risks involved.

Being accessible from the Internet requires security measures beyond what most companies understand. It's a tremendous responsibility that takes constant vigilance on the part of both the company and the system administrator. Missing a single patch or service pack means you're vulnerable and so is your information.

Microsoft IIS, Apache, and iPlanet web servers are all vulnerable to problems with configuration and bad code. A quick glance at most security related web sites will reveal more than just a couple of issues with each of these applications. Corporate web sites become one of the initial targets for hackers who intend to break into the corporate network.

As an example, Microsoft IIS is notorious for having multiple vulnerabilities. The Showcode.asp file comes loaded, by default, and can allow Internet visitors to view files on the local machine. There is a serious buffer overflow within msadc.dll that has been public knowledge for quite a while, and still isn't patched on many web servers. Hackers know about this flaw and have written "easy to use" scripts that allow them to scan a range of addresses for this vulnerability, which could give them a remote command prompt on the web server.

Ok, so what's the big deal if a hacker changes our web site or gets on to that server? There's no proprietary corporate information on that box. We can just restore the site from backup.

While that might be true, you should understand that control of just one box behind the firewall becomes a "jump point" to the other systems on your network. Once an intruder has access to that box, they have access to the local password file, access to any NetBIOS shares available to that box, and they have the ability to backdoor the box. Any network connections from your LAN that are allowed to the web server, but might not be allowed out to the Internet, are also available.

There's also the concern of misinformation on your web site. Let's assume the intruder has no real interest in getting into your LAN. They simply want to ruin your reputation as a corporate entity. Access to a web server can allow intruders to make slight changes in the corporate web site. Unlike the "news worthy" web site defacements, small changes are less likely to be noticed immediately. Bad information about quarterly earning could be easily disseminated publicly. Think of the possibilities.

Here are some hints to help lock down your web servers:

• Stay up-to-date with current patch and Service Pack levels.
• Removal of all scripts (.asp, .cgi, .pl, etc) that aren't used is imperative.
• Examine the scripts you use on the web server to find any possible system calls that could lead to remote execution of code.
• Do not put personal or sensitive information on your web pages. Do not disclose private email addresses or phone numbers.
• User names and passwords that might be hidden within the HTML code of web pages can STILL be viewed in the document source.
• Monitor the vendor mailing list. This allows you to hear about problems or fixes in a timely manner.
• Most of all, don't just install a web server and forget about it.