422 Chapter 9 • Securing Your NAVCE 7.6 Environment Securing NAVCE 7.6 Windows NT/2000 Servers ; Remember to consider the entire server environment, not just the NAVCE software installation. Physical security and operating system configuration are just as important to the overall well-being of your network environment. ; Change the default symantec password when creating a new server group, and configure the SSC to prompt for the server group password whenever you close and re-open the console. Do not select the Save Password option when unlocking the server group, or you’ll defeat the purpose of having a password in the first place. ; Use built-in Windows utilities and applets to secure access to the Windows Registry against unauthorized intrusions, and restrict users from launching resource-intensive scans of terminal servers using the AppSec utility. Securing NAVCE 7.6 Novell NetWare Servers ; Thoroughly configure and test the NetWare FTP service to ensure that LiveUpdate will function properly on your network. ; When using the IPX protocol, use ipxroute config to determine your server’s network number, as you will use this number rather than the machine name in forwarding files to Quarantine Server. ; Remember that client PCs running only the IPX protocol will not appear in the SSC console screen. Securing NAVCE 7.6 Client PCs ; Use the Symantec System Center console to prevent end-users from stopping scheduled virus scans. ; Lock real-time protection options in the SSC console to ensure consistent virus protection across your network. ; For your 16-bit clients, configure login scans so that the user will be unable to cancel them. www.syngress.com 245_symantec_09.qxd 5/8/03 12:34 PM Page 422 Securing Your NAVCE 7.6 Environment • Chapter 9 423 www.syngress.com Using the Reset ACL (resetacl.exe) Tool ; Reset ACL will limit your users’ ability to access or alter many key NAVCE functions, ensuring that the configuration dictated by your antivirus strategy is not compromised. ; Test the changes made by resetacl.exe thoroughly for any unexpected results, and be especially careful not to apply it to a workstation that relies on locally-launched LiveUpdates to obtain new virus definitions ; If you need to undo the changes wrought by RESETACL, use any Registry editor to restore full permissions on the HKLM\Software\ Intel\LANDesk\VirusProtect6\Current Version Registry key. Q: I support a small organization with a limited budget. What are the benefits of recommending the expense of a firewall to my management? Isn’t antivirus software sufficient to protect my network? A: Connecting any private network to the Internet, regardless of its size, can expose critical and confidential data to malicious attack from anywhere in the world. Firewalls can protect anything from an individual computer to a large corporate network from hostile Internet-based intrusion.Anyone who is responsible for a private network that is connected to a public network should strongly consider firewall protection. In this connected world, firewall protection is roughly equal in importance to maintaining renter’s insurance. Facing even a single incident without it will certainly make you wish you’d decided to make the investment. In terms of the efficacy of antivirus software in completely protecting your network from threats, it is by nature only as good as the latest virus defi- nitions, which were in turn created in response to the latest viruses. While technologies like Bloodhound Heuristics (see Chapter 12) attempt to stay Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 245_symantec_09.qxd 5/8/03 12:34 PM Page 423 424 Chapter 9 • Securing Your NAVCE 7.6 Environment one step ahead of the hacker community, someone (and realistically hundreds of someones) will become infected with a new virus threat before the makers of antivirus software can create a defense against it. A firewall will close the gap between the known virus threats addressed by antivirus definitions, and the unknown threats that crop up on the Internet every single day. Q: Our network utilized a proxy server to restrict Internet access. How do I configure LiveUpdate to function behind a proxy? A: By default, LiveUpdate will use the proxy server settings set up within Internet Explorer. If you need to change this default value, access the LiveUpdate applet in the Control Panel. Select I want to customize my proxy settings for LiveUpdate, and fill out all required fields, as illustrated in Figure 9.18. Q: What is the best way to determine what ports I need to open at my firewall in order for my Windows clients and servers to function? A: I recently found a wonderful freeware utility called FPORT (available at www.foundstone.com) that will inventory a Windows-based client or server PC for all open TCP and UDP ports. Even more useful than that, however, FPORT will display exactly which service or .exe file is using the ports in question, similar to the output shown in Figure 9.19. (This is quite useful not only from a system inventory standpoint, but also in ensuring that your machines aren’t running anything they shouldn’t be.) Using a utility like this in conjunction with a detailed software inventory should be sufficient to determine what ports and/or .exe files you’ll need to enable on your firewall. www.syngress.com Figure 9.18 Customizing Proxy Settings for LiveUpdate 245_symantec_09.qxd 5/8/03 12:34 PM Page 424 Securing Your NAVCE 7.6 Environment • Chapter 9 425 Q: What are the benefits or drawbacks of using software-based personal firewalls (like ZoneAlarm or BlackIce Defender) instead of a single enterprise firewall solution? A: A personal firewall is most effective when used exactly as it sounds like it should be: protecting an individual (personal) computer, or providing protec- tion for one or two PCs in a self-contained Small-Office-Home-Office (SOHO) environment. However, because they are designed to run on indi- vidual client PCs, personal firewall packages don’t offer any options for cen- tralized management or configuration. Once you start talking about a medium- to large-sized corporate environment (anything over ten PCs), per- sonal firewall software becomes increasingly impractical—it simply does not scale well. Q: How can I secure the NAVCE installation for those clients who never attach to my corporate LAN? A: For remote or traveling users who will never connect to a NAVCE parent server, you can provide a CD with a custom NAVCE installer with pre-con- figured LiveUpdate and other configuration settings. (You can use any soft- ware designed to create automated installation packages, including WinInstall, Systems Management Server, and so on.) While the Reset ACL tool will pre- vent the user from altering any of these settings, it will unnecessarily cripple the NAV installation of a remote user. Even though this will be a largely un- networked computer, configure it in a Managed configuration anyway, as it will simplify the NAVCE update process if the user ever does need to attach it to the corporate network. For client machines that will be connecting to the network from multiple locations, use the Roaming Client Support. www.syngress.com Figure 9.19 Sample Output from fport.exe 245_symantec_09.qxd 5/8/03 12:34 PM Page 425 426 Chapter 9 • Securing Your NAVCE 7.6 Environment Q: What are some good guidelines to follow when securing a Windows or NetWare server? A: Use the following checklist as a starting point. Some items are Microsoft- or Novell-specific; others are common to the installation of any secure com- puting system. As always, test these changes before deploying them in a pro- duction environment, especially those that involve Registry changes.You can also refer to Figure 9.20 for a quick visual overview of the physical layout of a typical NAVCE-protected network, and the kinds of threats you can expect to have directed against your various network components. ■ Physically secure the server. Install the server in a locked room, use a CPU case lock and maintain the keys to both in a separate and con- trolled (but still accessible) location. ■ Enable a strict password policy, including minimum password length and complexity requirements. ■ Disable the Guest account. ■ Rename the Administrator account on Windows NT/2000/XP/.NET machines. ■ Regularly monitor the user account list for any unusual or unauthorized account creation. ■ Create two accounts for your administrative users: one for everyday use, checking e-mail and so on, and a second one for actual network admin- istration functions. (The idea here being to avoid having Domain Admins logged in all the time when it’s not strictly necessary.) ■ Assign Windows NT/2000 file and share permissions to the Authenticated Users group instead of the Everyone group. ■ Use NTFS on all NT-family disk partitions. FAT and FAT32 possess no security features. ■ Shut down and disable any unnecessary services, especially services like IIS and RAS that have security configuration issues of their own. ■ Enable auditing and configure file permissions on the Windows NT/2000 Event Viewer Security log. ■ Regularly monitor the Security, System, and Application logs in the Windows NT/2000/XP Event Viewer to detect any unauthorized activities. www.syngress.com 245_symantec_09.qxd 5/8/03 12:34 PM Page 426 Securing Your NAVCE 7.6 Environment • Chapter 9 427 ■ Subscribe to the Microsoft e-mail notification service to stay informed of all new patches and updates. ■ Use TCP/IP filtering to restrict the TCP and UDP ports that can tra- verse your network. ■ Clear the pagefile.sys at shutdown by changing the value of HKLM\ SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown to 1. ■ Use the Encrypted File System (EFS) in Windows 2000/XP/2003 to create an additional layer of security for your file shares. ■ Change the boot order in the system BIOS to prevent booting from a floppy disk or CD-ROM. In the case of extreme security concerns, remove the drives entirely. ■ In Novell NetWare, use the CONLOG.NLM file to record all keystroke activity on the server console.This information will be stored in the consol.log file, stored in the SYS:ETC directory. ■ Lock all NAVCE client options to ensure uniform virus protection on your network. Use the Reset ACL utility, if appropriate. ■ Hold regular user awareness training, either in person or via e-mail, memos, and so on, to maintain user awareness of antivirus and network security concerns. www.syngress.com Figure 9.20 Common LAN Threats Internal Network Clients NAVCE Server Firewall Remote Clients Remote Clients 1 2 3 245_symantec_09.qxd 5/8/03 12:34 PM Page 427 428 Chapter 9 • Securing Your NAVCE 7.6 Environment Table 9.6 Area 1 of Figure 9.20 Threat Defense Port scanning and network attacks, Enforce VPN encrypted connections and password sniffing Out-of-date virus definitions Preinstall NAVCE with frequent LiveUpdates Table 9.7 Area 2 of Figure 9.20 Threat Defense Operating system vulnerabilities Proactively monitor vendor Web sites for patches Fraudulent or buggy NAVCE updates Test all updates before releasing into live production Registry attacks Use REGEDT32 to secure NAVCE Registry keys Physical security CPU locks, BIOS passwords Table 9.8 Area 3 of Figure 9.20 Threat Defense Malicious e-mail attachments E-mail policies, end-user training Peer-to-peer file sharing Group policies, internal firewalls Weak passwords Enforce strong passwords and regular password changes Physical security CPU locks, BIOS passwords Q: How can I determine which of my network PCs are not attached to the NAVCE system console? A: While there isn’t a simple way to query NAVCE to “Tell me all the clients that aren’t attached to you,” your best bet is to compare the contents of the SSC console with your list of computer accounts in Windows NT4 Server Manager or Active Directory Users and Computers in Windows 2000. Either or both of these lists can be exported to a text file for easy analysis in a spreadsheet or other reporting software. www.syngress.com 245_symantec_09.qxd 5/8/03 12:34 PM Page 428 Securing Your NAVCE 7.6 Environment • Chapter 9 429 Q: What do you do when you’re finally finished developing your network security policy? A: The real answer here is that you’re never finished with a network security policy. It’s a living document that needs to grow and change along with the rest of your company’s business processes, technological advances, and security needs. www.syngress.com 245_symantec_09.qxd 5/8/03 12:34 PM Page 429 245_symantec_09.qxd 5/8/03 12:34 PM Page 430 Updating Virus Protection Solutions in this chapter: ■ Introducing the Virus Definition Transport Method (VDTM) ■ Introducing Symantec LiveUpdate ■ Introducing Intelligent Updater Chapter 10 431 ; Summary ; Solutions Fast Track ; Frequently Asked Questions 245_symantec_10.qxd 5/8/03 4:14 PM Page 431 [...]... http://securityresponse .symantec. com/ avcenter/defs.download.html 2 Select the appropriate language 3 Select Norton AntiVirus Corporate Edition from the list of products NOTE You will also see Symantec AntiVirus Corporate Edition in this list, which refers to version 8.0 (or later) of this software 4 Click Download Updates.You will then be taken to a new page In this case, it will be http://securityresponse .symantec. com/avcenter/... “remote folder” for your benefit: /public/english_us_canada /antivirus_ definitions/ norton _antivirus_ corp Therefore, the actual location of these definitions at Symantec s FTP servers is ftp://ftp .symantec. com/public/english_us_canada /antivirus_ definitions/ norton _antivirus_ corp/ A screenshot of this folder is provided in Figure 10.12 www.syngress.com 245 _symantec_ 10.qxd 5/8/03 4:14 PM Page 445 Updating Virus... the Update Settings window (Figure 10 .7) , to choose how often the NAVCE clients check the parent server for updates Figure 10 .7 Settings for VDTM Update Interval Introducing Symantec LiveUpdate Now that you’re familiar with VDTM, let’s look at how LiveUpdate works LiveUpdate is a Symantec technology that allows Symantec products to connect via FTP or HTTP to a Symantec server and retrieve program updates... the Norton AntiVirus Corporate Edition (NAVCE) software considers the file infected and attempts to remedy the situation However, if the virus is new enough, or the virus definition files are out-of-date, an infected file will appear clean to the software.Therefore, it is critical that virus definition files be kept as current as possible Introducing Symantec LiveUpdate Symantec s LiveUpdate allows Symantec. .. Installing Symantec LiveUpdate 1.5.3.21 Administration Utility Now, let’s install the Symantec LiveUpdate Administration Utility.You can find this utility on CD 1 of your NAVCE installation set However, quite often, newer versions are available on Symantec s Web site.Therefore, in our example, we will download the latest version rather than installing it from the CD www.syngress.com 4 47 245 _symantec_ 10.qxd... server To configure servers to retrieve updates from Symantec s FTP site: www.syngress.com 245 _symantec_ 10.qxd 5/8/03 4:14 PM Page 443 Updating Virus Protection • Chapter 10 1 Launch the SSC by clicking Start | Programs | Symantec System Center | Symantec System Center Console 2 Right-click the Server Group you wish to configure 3 Select All Tasks | Norton AntiVirus | Virus Definition Manager A screen will... it RTVScan is the core program with Norton AntiVirus Corporate Edition It performs functions such as alerting, discovery, scanning, and processing definition updates Virus protection files contain unique patterns from thousands of different viruses When a file is scanned to check for viruses, its binary www.syngress.com 245 _symantec_ 10.qxd 5/8/03 4:14 PM Page 4 57 Updating Virus Protection • Chapter 10 code... NAVCE server to use VDTM 1 Click Start | Programs | Symantec System Center | Symantec System Center Console 2 Select and unlock the server group you wish to work on www.syngress.com 245 _symantec_ 10.qxd 5/8/03 4:14 PM Page 4 37 Updating Virus Protection • Chapter 10 3 Right-click the primary NAVCE server for this server group.Then, click All Tasks | Norton AntiVirus | Virus Definition Manager You will now... definitions www.syngress.com 453 245 _symantec_ 10.qxd 454 5/8/03 4:14 PM Page 454 Chapter 10 • Updating Virus Protection On some occasions, it becomes necessary to use the Intelligent Updater One such scenario is when a new virus emerges and a LiveUpdate file has not been released by Symantec In such cases, while its AntiVirus team is working towards a “cure” for the new virus, Symantec often releases beta versions... into thinking it is connected to the LAN and a large vdb file can potentially be downloaded across the slow link The good news is that with its next release of NAVCE (which will be known as Symantec AntiVirus Corporate Edition 8.0 or SAVCE 8.0), VDTM will also make use of smaller incremental virus definitions (MicroDefs) used by LiveUpdate Remember, there are always compelling reasons to choose VDTM, LiveUpdate, . link. The good news is that with its next release of NAVCE (which will be known as Symantec AntiVirus Corporate Edition 8.0 or SAVCE 8.0), VDTM will also make use of smaller incremental virus definitions. contain unique segments, often referred to as “signatures,” of thousands of viruses. Norton Antivirus Corporate Edition (NAVCE) detects viruses by comparing files that are being scanned against these. VDTM. 1. Click Start | Programs | Symantec System Center | Symantec System Center Console. 2. Select and unlock the server group you wish to work on. www.syngress.com 245 _symantec_ 10.qxd 5/8/03 4:14