Linux versus NTFS security, across the LAN

[Frank B Denman]

I'm hoping somebody here is bi-lingual.

I booted a Knoppix cd on a workstation on my domain today and was dismayed at
how easily I had obtained read access to local ntfs files.

Query: If I had known my way around Linux a little better, would I have been
able to browse or map my way across the LAN to a drive on my Win2k Server and
read the files therein as easily as I read the local files?

This has some immediate implications for a client of mine who is considering
subletting some of her unused office space. Although her server is physically
secured, a subtenant would have physical access to some of her workstations and
LAN ports.

Thanks.

Frank


Frank Denman
Denman Systems
(e-mail address removed)
Please delete the "x" from my email address.

 

[Oli Restorick]

Answered in-line......

Query: If I had known my way around Linux a little better, would I have been
able to browse or map my way across the LAN to a drive on my Win2k Server and
read the files therein as easily as I read the local files?

No. Accessing files across the network is always governed by the NTFS and
share permissions and relies on the fact that you have authenticated with a
domain controller.

This has some immediate implications for a client of mine who is considering
subletting some of her unused office space. Although her server is physically
secured, a subtenant would have physical access to some of her workstations and
LAN ports.

Well, the client would be able to do the same on the workstations as you did
on the server, so if your client has data stored on the workstations' hard
disks then this is equally insecure. Also, if someone can use this method
to place a file on the hard disk, they could easily find a user profile of
somebody with domain admin priveleges and script the addition of a domain
account with administrator privileges and a known password. Then, they
could just wait for that user to log on.

Encrypted File Systems (EFS) is an option for this scenario.

Having someone else have easy access to your LAN means that security risks
that were mitigated by having protection at the perimeter of the network are
now no longer mitigated.

I'm imagining a small business here, but one option that springs to mind is
to place all the workstations on one switch/hub which is physically secured
and turning that switch/hub off out of hours. That may provide some
protection in conjunction with EFS to protect the workstations.

This sounds like a trust thing to me. If your client doesn't trust her
subtennent she should divide off the office space to provide physical
security or not let the space out.

Regards

Oli

 

[Joe Richards [MVP]]

The CD running on a local machine has direct access to the underlying file system which is why it had access to those
files. It will not have the same access to network stuff. I.E. You would have the same access to the network stuff as a
Windows machines would have.

 

[Frank B Denman]

The "trust" issue is dead on, and that's the first advice I offered my client.

When I asked this question in a linux security group, one of the responses
suggested locking each port on the switch to a particular MAC address.

Since the existing switch is unmanaged, merely turning it off is an interesting
thought, particularly if I can devise a way for the client to do it remotely
(without traipsing off to the locked wiring closet).

Then again, maybe it's time I did my homework on managed switches....

My thanks to everyone for the good advice and suggestions.

Frank

I'm imagining a small business here, but one option that springs to mind is
to place all the workstations on one switch/hub which is physically secured
and turning that switch/hub off out of hours. That may provide some
protection in conjunction with EFS to protect the workstations.

This sounds like a trust thing to me. If your client doesn't trust her
subtennent she should divide off the office space to provide physical
security or not let the space out.

Frank Denman
Denman Systems
(e-mail address removed)
Please delete the "x" from my email address.

 

[Frank B Denman]

Hi Oli,

Let's see if I'm understanding this correctly:

If I enable bios security on the workstations and disable floppy/CD booting,
I've not only protected data on the local drives, but I've foreclosed the
"create a new admin account" scripting exploit you described.

So my remaining risk is thru network attack if a tenant plugs his own machine
into a port on my client's LAN. I'm assuming that a fully patched Win2k server
is well equipped to resist such attacks, and if security logging is
appropriately configured, there's going to be an audit trail.

Any thoughts about what events I should be logging? And about what I might be
overlooking?

Thanks.

Frank

I would think that access to the workstations presents a bigger security
risk than access to the switch, especially if the sub-tennant has the
opportunity to work out-of-hours.

Regards

Oli

Frank Denman
Denman Systems
(e-mail address removed)
Please delete the "x" from my email address.

 

[Oli Restorick [MVP]]

Of course, BIOS locking won't help you if somebody decides to open up the
computer. They could reset the BIOS. They could take your hard drive out,
clone it, and then have all the time they wanted to crack any passwords on
the disk.

There are always ways around whatever security you put in place. You have
to decide how far you go in making your systems as secure as they need to
be. Normally, that involves making the barriers high enough that nobody
bothers to try and climb over them because the rewards by doing so aren't
enough to warrant the effort.

If your client is asking for the systems to be makde "secure", there is no
such thing as 100% security.

Regards

Oli

Hi Oli,

Let's see if I'm understanding this correctly:

If I enable bios security on the workstations and disable floppy/CD booting,
I've not only protected data on the local drives, but I've foreclosed the
"create a new admin account" scripting exploit you described.

So my remaining risk is thru network attack if a tenant plugs his own machine
into a port on my client's LAN. I'm assuming that a fully patched Win2k server
is well equipped to resist such attacks, and if security logging is
appropriately configured, there's going to be an audit trail.

Any thoughts about what events I should be logging? And about what I might be
overlooking?

Thanks.

Frank