News

Windows Security Challenge Network Holding Strong—So Far

When you invite the world to try to hack into your Microsoft network, what's the major security challenge you face? In the case of MCP TechMentor's Windows Security Challenge, it might be the security

• By Dian Schaffhauser
• 07/11/2002

In the case of MCP TechMentor's Windows Security Challenge, it's probably the fact that the security guard protecting the room where the servers are physically located keeps falling asleep.

One speaker said he was tempted to walk into the room and unplug something in order to bring the Web site down.

On day one, attendees heard the highlights of the network hardening effort, as explained by the team that did the work, including Microsoft security consultant Steve Riley, SQL Server consultant Ted Malone, IIS expert Brett Hill, firewall expert Joern Wettern and Active Directory consultant Laura Robinson, and led by MCP Magazine Contributing Editor Roberta Bragg. A diagram of the network is available at http://www.techmentorsummit.com/ seattle/overview.asp#.

The presentations highlighted the same best practices outlined in Microsoft's Security Operations Guide, available online at http://www.microsoft.com/technet/ treeview/default.asp?url=/technet/security/prodtech/ windows/windows2000/staysecure/.

The three-day event is hosted by 101communications and MCP Magazine.

By 6 p.m. on Wednesday the network, the network was activated and hosting a Web site at http://www.windowssecuritychallenge.com. The Web page shows a simple guest book application. The information filled in by visitors poses a sort of enticement to hackers, who try to access the SQL Server holding the data.

"We're seeing a tremendous amount of attacks but there's nothing really original... It's a lot of script kiddies," said Mark Burnett, an Internet security consultant and author, who installed Snort to log activity for the project. "I haven't seen anything really serious. It goes to show just how effective the basic steps can be."

Malone, the SQL expert on the team, said visitors have tried to break into the SQL application.

"Then they tried to get into IIS. Thousands and thousands of exploits. Gave that up pretty quickly." He said the team has seen a lot of SQL injection-oriented errors, in which hackers attempt to exploit an aspect of SQL by tricking the application into running commands entered through data fields. Malone showed in his session how to prevent SQL injection problems; the fix: changing single apostrophes in the SQL code to dual apostrophes.

The question the challenge is attempting to answer, said Bragg, program chair for the event, was, "Can a small business protect against the threats that are out there?" Her conclusion: "It is not that hard. It takes time. It takes commitment."

But there's a bigger issue at stake, she said. "It's not about securing your world; it's about securing the world." That, she said, requires a different mindset.

The network will remain live until the end of Thursday.