Introduction | Professional Windows Desktop and Server Hardening (Programmer to Programmer)

Overview

Welcome to Professional Windows Desktop and Server Hardening! This book contains practical Microsoft Windows security advice, much of which you will read nowhere else, that I've been dispensing for over 18 years. Can you believe that Microsoft Windows 1.0 was released over 20 years ago on November 20, 1985? While the operating system and some of my advice has changed over the last two decades, the security issues really haven't. Today's überviruses, worms, and trojans use substantially the same mechanisms they did back in the days of IBM's PC DOS. Sure, the languages change and the Internet made nearly every computer connected, but the attacking malware and malicious hackers are using the same tricks they always have.

Last week, I read how a new worm is encrypting user's data and asking for a $200 ransom to unlock it. Ho hum. The PC CYBORG AIDS trojan horse (http://ciac.llnl.gov/ciac/bulletins/a-10.shtml) did the same thing more successfully back in 1989. Lately, I hear some of my fellow security experts telling users how Windows-based rootkits are the scariest malware bug ever and how they will eventually lead to the death of antivirus software. I've heard the same warning about macro viruses in 1995, polymorphic viruses in 1993, and multi-partite boot viruses in 1992. Somehow, antivirus vendors learn how to detect the new critters and life moves on.

I've heard how today's new stealth worms, which proactively hide from detection software and prying investigators, are somehow new. What was the first stealth malware program? The Pakistani Brain diskette boot virus (http://vil.nai.com/vil/content/v_221.htm) in 1986. It was the first IBM-compatible PC virus, and it spread around the world without involving the Internet. If someone looked at an infected boot sector while the virus was in memory, it would return the moved original boot sector instead.

The media is always writing about how tomorrow's Internet worm will be worldwide and devastating. They neglect to remember that the real disasters are our loved ones in a hospital emergency room; everything else is just a nuisance. Or that the first worm that "took down the Internet" was the Robert T. Morris worm (http://en.wikipedia.org/wiki/Morris_worm) of 1988. The first malware program to affect the real world outside of the Internet was the ILoveYou worm (http://www.cert.org/advisories/CA-2000-04.html) in May 2000. Launched from the Philippines, it infected so many computers in one day that it caused my cell phone network to go offline for most of the first day (as it dealt with an overload from Internet-based e-mail messages heading to cell phones and pagers). The local telephone company's circuits were also overloaded for a few hours, but the icing on the cake was my morning paper being delivered at 5 P.M. that night. Not even Ronald Reagan's attempted assassination or the space shuttle disasters had done that.

The SQL Slammer worm (http://www.cert.org/advisories/CA-2003-04.html) of January 2003 has the notoriety of being the fastest recorded Internet malware to date. Within 10 minutes of its first exploited victim computer, it had infected nearly every Microsoft SQL server and Desktop Edition client it could reach on the Internet (http://www.cs.berkeley.edu/~nweaver/sapphire). Launched at 1 A.M. E.S.T., by the time network administrators around the world had wakened, not only was the attack over, it had been over for nearly a normal business work day. And no security expert I know thinks its speed record will stand much longer.

Even the future is old news. There is barely a security expert alive that hasn't warned about cell phone and PDA viruses becoming ever-present in the new millennium—and they are probably right. But the first successful cell phone virus that caused a countrywide problem was back in August 2000. A script worm (http://wirelessreview.com/news/wireless_viruses_raise_flags) infected Japan's DoCoMo i-mode cell phone network, prompting users to answer whether they would drink out of a girlfriend's coffee mug if she had a cold. If they answered yes the script then dialed the equivalent of our 911 system, eventually flooding Tokyo's emergency phone number with bogus calls. It was not only a cell phone malware attack, but also one that could potentially kill a person indirectly.

In my 18 years of dealing with malicious code, perhaps only the Nimda virus (http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html), with its six-plus angles of attack, and the 1992 Sara virus (http://www.avp.ch/avpve/poly-gen/mte.stm), the first polymorphic virus, really did something unique and unexpected. Everything else has been a small modification of someone else's idea or just a regurgitation of an old idea. It's perhaps more surprising to us "ole" computer security veterans that someone hasn't made something more malicious and that professional hacking is just now starting to be a daily economic force.

The biggest recent change in hacking is how many of the attacks are compelled by the profit motive. Until 2004, most viruses, worms, and hackers were done by hobbyists, motivated by peer recognition and personal goals. Now, more and more, both automated attacks and hackers are motivated by dollar signs. The media is full of stories of corporate espionage. Governments are reporting wide-scale, sophisticated attacks against their national infrastructure systems. Hackers are gathering hundreds to thousands of hacked machines into malicious bot networks that are sold to the highest bidder. Organized crime figures routinely steal hundreds of millions of dollars scammed from online purchasers. People's identities and their credit card information are being stolen by the hundreds of thousands on a daily basis. It is not hyperbole to say that professional hackers will challenge our world's data networks like no other category of crime has ever been able to accomplish. I would be surprised if stronger governmental regulation of the Internet and software did not occur in the next half decade.

What hasn't changed is the ways computers are attacked and how you can defend against those attacks. I cover the various attack methodologies in Chapter 1, "Windows Attacks." If you know what is attacking you, you can always design successful computer defenses. I already know how to stop viruses, worms, trojans, and malicious hackers. The hard part is implementing defense strategies in a consistent way so that all computers receive identical, consistent protection. Chapter 14, "Group Policy Explained," and Chapter 15, "Designing a Secure Active Directory Infrastructure," will take everything you learn in the chapters in between and make a security policy that is consistent and enforceable.