Last time we looked at cookies and their impact on you. In this issue, we’ll tackle more security for your Web server (or your Web browser, for that matter). Security is something that we all need to take seriously—although it is possible to be so paranoid that you can’t get the full benefits of Web shopping. (Just keep in mind that without allowing some kind of user-specific site data to be stored on your local box, you’ll never get the kind of personalized Web experience that we’ve all come to expect.) Also, I’ll cover some cool aspects of Perl goodies for NT, as well as yet another of my infamous Goodies.
One great way to check your system’s security is to attack it. A friend of mine turned me on to a couple of way cool sites that specialize in this kind of “TERM warfare”. The concept behind the sites is that every computer system offers lots of different ways to break in. And the sad fact is that every time you install a new TCP/IP daemon program, you’re potentially allowing additional entry points into your system. For example, adding the Oracle database means that the “TNS Listener” daemon listens for incoming messages on a configured TCP/IP port (1521, by default). However, a clever and malicious application can exploit that fact to infiltrate your computer using that port number. And while Oracle probably has enough safeguards to eliminate its TCP/IP listener as a serious security risk, not every TCP/IP application that you install on your box is as thorough.
The great site “Shields Up!” (Gibson Research Corporation, http://grc.com/x/ne.dll?bh0bkyd2) directly addresses common weak points in your system’s TCP/IP armor. Entering the site (nothing to download, isn’t that great?) immediately goes to work on your system (Figure 1).
You can use the Web site both to check the security of your machine’s network connection, as well as to check some common TCP/IP ports for weaknesses. For example, on my box I run both a Telnet server and an FTP server. I normally connect through a dial-up at my workplace, which is armed with a full firewall. After running the port scan, Shields Up! reported that it was unable to access any of my common ports (FTP, Telnet, SMTP, HTTP, and so on). However, even though my workplace provided a firewall, the Web site could still determine:
· My local login name
· My local machine name
· My machine’s NetBIOS name
· My workgroup
That’s scary, especially since Shield Up! reports that my machine is relatively hardened against network attack. It makes me wonder about softer machines and the dangers they go up against. My friend Joe Berry was attacked via a TCP/IP port without his even being aware of it. When he finally discovered what was going on and tried to remove the offending applications, the hacker responded with the equivalent of a missile attack! Net result—days of lost time and software. And that was against a serious professional with tons of experience setting up computer networks!
As a nice aside, Shields Up! offers a free IP agent that guarantees that the Shields Up! Web site uses the correct IP address when probing your machine. The really interesting thing (to me, at least) is that the IP agent is only 16k and was written entirely in assembler language. (Sad to say, I must admit I’ve never written even one Windows program in assembler!) I downloaded the program, and let Shields Up! try its magic on me again. Big surprise! Shields Up! couldn’t even get through to me. It turns out that Shields Up! had been using the IP address of my proxy in the earlier run, which means that none of the connection attempts could have succeeded anyway.
The Web site itself provides a tremendous resource for anyone wanting to find out more about security issues. For example, I found that a simple firewall monitoring system I’ve been writing is evil. I kid you not. My brilliant idea was to open a connection on every well-known port (such as Telnet 23 or HTTP 80) and listen for incoming traffic. Then, I’d filter out the bad stuff (based on originating IP address) and print out reports. Egg on my face! Shields Up! has a whole page (http://grc.com/su-reading.htm) on this approach and why it’s wrong. For one thing, it advertises to the world that I have a “Web farm” full of listening software on every interesting port. And a clever hacker would not only discover that my machine was ready and waiting for connections, but could probably find a way around my filtering software. End-result: a security system that actually invited problems (Shields Up! compares it to unlocking your front door and leaving it ajar to catch a burglar).
If you’re interested in the subject (and I bet all of you are), then you’ll want to check out the author’s homepage at http://grc.com/steve.htm.
A Danish programmer provides a complete picture of the things your Web browser tells the whole world, even if you’re behind a firewall! Henrik Gemal (http://www.gemal.dk/browserspy/spy.html) has done a nice job on this site. He provides a set of Java applets that extract information from your machine. You can select from multiple types of information, including your personal information! It’s true! If you have installed the Address Book and you aren’t on a secure system, then any Web application can get your name, address, age, and anything else you’ve entered in the Address Book (once you’ve connected to an interested site). Fortunately, my company firewall protects me from this type of abuse, but the idea that all that information is easily obtainable makes me nervous.
Even with the firewall protection, this site was able to find out lots of information about me. It could see what my Web browser was (and its version) as well as every component (and their version) I had installed. Other interesting items included whether I allowed Cookies and what my operating system version was. All in all, this tells me that you can actually get quite a bit of information from Java applets! And just when I thought they were harmless…
A couple of articles ago, I reviewed some interesting TCP/IP speedup programs. As a follow-up, here are a couple of new programs I recently installed and tried out.
This software ($10 shareware, http://smartalec2000.blizznet.com) got rave reviews from another online magazine, and it sounded promising. Its claim to fame is providing a single interface to improve several areas of your computer’s performance. After installing the application, I saw that I could modify TCP/IP, 3D video, Security, and CPU/Memory settings. While at first I wasn’t too impressed with the application (I don’t think the author provides enough explanation of what the tweaks do and how they work), I must admit that I got a noticeable improvement simply by selecting the “Quick Optimization” for a home PC (which automatically sets various TCP/IP settings). I got download speeds of up to 11KB a second on a 28.8 connection line. And the Windows Start menu (and the folders it activated) came up instantaneously!
On the down side, I couldn’t use this application to see exactly what all my current TCP/IP settings are (you must buy the “full” program for that). But, I can recommend that you try this one out.
Patterson Design Systems provides this TCP/IP settings tweaker ($15 shareware, http://www.pattersondesigns.com/tweakdun/). It’s specifically designed for dial-up boxes (hence the name—“Tweak Dial-Up Networking) and basically provides a single screen to set the major TCP/IP performance settings. The shareware version offers limited functionality, and the only thing you can actually set is the MaxMTU (which should be at 576), along with whether or not to enable IP address lookups through your local Hosts file.
The software also provides a Hosts file configuration editor, of which the best feature is an IP address updater. This updater checks (and corrects) the listed IP addresses of the various hosts you have in your Hosts file.
Another nice feature is that the application provides you with the registry key for your TCP/IP settings, so the braver of you can edit your settings directly (I’d recommend having the NT Resource Kit available first!). Plus, the main screen provides with an overview of your current TCP/IP settings that can affect your throughput (even though you can only modify the MTU setting).
The Windows Registry serves as a common application data storage area by just about every piece of software written today. As a result, it’s not uncommon for your computer to slow down over time simply because more and more information winds up in the registry. All of your system and user preferences for your entire installed hardware and software end up here, and it takes time to retrieve this information.
To compound the problem, many applications don’t remove all their information from the registry when they get uninstalled. As a result, just about every computer in the world has some unused data items lost inside the registry. And a whole cottage industry has risen to help you manage this mess.
These registry cleaners follow two models: automatic and manual. The automatic cleaner searches all your registry entries and tries to correlate them to specific applications on your computer. Registry entries referencing missing software get removed automatically. Manual cleaners, on the other hand, don’t want to remove entries indiscriminately. Instead, these cleaners get confirmation from you before removing registry entries.
RegCleaner (freeware, http://www.saunalahti.fi/jv16/) falls into the manual category (which I prefer). It shows you the software application entries in the registry, and identifies (with a high degree of accuracy) those entries that don’t need to be there. You select one or more of the offending entries, and click on the Remove button. The software copies the registry entries to a backup folder and (most importantly) removes them from the Windows registry.
My own registry turned out to be quite clean (only one extraneous entry). However, I’d lay odds that you’ll get a pleasant surprise at how well this little application can improve your system. Safe, clean, and secure—I recommend this little gem well above any of the high-priced automatic cleaners!
While not falling into the PC speedup category, this application (from the same author as RegCleaner above) does so many nice things, I felt I must mention it. It answers several questions, including “How stable is my CPU?” and “How fast is my CPU?”. You can run the stability tests (which requires 24 hours—I did mine over a weekend) and puts your CPU through many extraordinary gyrations. You can benchmark your PC in just a few seconds (although the number returned really has meaning only when compared to a benchmark from the same program on a different computer). And you can also get various types of system information (actual CPU clock speed, RAM, and BIOS). All in all, an interesting program, especially since the author is only 17!
Another good way to make sure your system performs up-to-spec is by making sure you have the latest Windows upgrades installed on your box. I’ve gone over the Windows Update Web site (http://windowsupdate.microsoft.com/default.htm) before, but it bears mentioning again that you can go here to find out all the latest and greatest patches and new free products from Microsoft. Unfortunately, you can’t yet get Service Pack 6 from Windows Update; instead, go to http://www.microsoft.com/ntserver/nts/downloads/. You get access to every NT Service Packs, and a host of other great Microsoft downloads.
In spite of the inflammatory-sounding title, I’m not discussing political philosophy. Rather, software implementation. Specifically, a very handy Web site for anyone who wants to enable remote access to an NT box, without paying licensing fees.
The War Web site (http://www.jgaa.com) features several extremely well written applications, including War-FTP Daemon (95/98/NT), an FTP client, mail programs, and an object-oriented HTML editor!
For my purposes, I looked only at the War-FTP Daemon. Boy, what a package! This is an MFC (Microsoft Foundation Classes) application that I enjoy running (definitely not the norm, since MFC applications tend to be bloated and ugly).
You’ve got several choices for the version you want to download—I chose 1.65 since it sounded reasonably stable. My download weighed in at just over 1500KB.
Do not double-click this application to install it (I trust my readers never tell the browser to run a program from its current location, correct?). Instead, copy the executable into a temporary directory (any will do) and double click it there. It unpacks the installation program into the current directory, and you then run the Setup program. While the setup program could be spiffier, remember that things rapidly get much more impressive.
Once installed, start the application and immediately select Properties/Security/Edit User. (Despite the name, you use this screen to add and edit users.) As you add users, you’ll want to setup the file permissions appropriately. This is one place where the application really shines! You can set up:
· A unique default login drive:/directory for each user.
· Four different permission levels for files: Read, Write, Delete, and Execute.
· Three different permission levels for directories: List, Create, and Remove.
· Different permission levels for individual directories within a drive. As an example, assume that everything on drive F: is fair game for FTP logins except for a directory called F:\MyStuff\CriticalStuff. It’s a little tedious, but you can setup these permissions any way you want.
· Different permission levels for different drives.
The War-FTP Daemon security model uses a “three-state” approach. In other words, directory/file access can be enabled, disabled, or default. (Default means that the user inherits the system-wide defaults for directory/file access.) Since you may specify unique permissions for each user in every directory, with a large number of users this becomes unwieldy. However, the application provides some reasonable reports to help you manage who has access to what. And while the reports come in a one-size-fits-all flavor (no complex SQL queries here), the report formats made it trivially easy to massage the data any way I wanted to by writing simple Perl scripts (although any other data-manipulation would do just as well).
One thing that confused me was how to enable full access to an entire drive for a user (such as myself!). Here’s a cheat sheet (remember, this is for version 1.65!):
1. Add the user you want, and click the “File Access” tab.
2. Under the “Path” list (initially contains only the [default permissions] entry), click Add.
3. In the lower-right corner of the popup dialog that appears, select the drive you want to enable, and click OK. You should now see the drive in the “Path” list.
4. Highlight the drive and click the attributes (located under the Files and Directories check box sections) you want. If you want to enable an attribute, be sure that you keep clicking until you have a black check in the appropriate check box (not a gray check!).
5. You’ll notice that you can’t check the Create or Remove check boxes under the Directories section. To enable these boxes, you must check the “Recursive” check box under the “Special” section. Once the Recursive box is checked, it not only allows you to indicate whether the new user can create or remove directories, but it applies the permissions you’ve set to every directory and file on the drive, including new directories you create and/or remove.
Sound like a lot of work? It is—the first time! After that, you use the “Copy” function to create new users. This function duplicates all the permissions you already set without any effort on your part. Unfortunately, I couldn’t find a way to create user groups, so changing permissions for, say, a thousand users may make this program impractical for you!
One other point to note: your FTP users can change drives, but they must do it through the use of “mapping” entries. You set up drive mapping(s) by using the “Mapping” checkbox for the drive. Once checked, you can use the default mapping (such as “C-DRIVE”, case sensitive) or create your own. In either case, your users would change to another drive using:
cd C-DRIVE
Once I got configured, I clicked the “Online” icon (a lightning bolt) on the main screen and logged in remotely (from a Telnet session I had on another computer). It worked like a charm the first time through! I played around inside the Properties/Options menu option (which brings up the application configuration dialog), clicked on the “NT” tab, and clicked the “Service Automatic Startup” option. Then I shut down the program (which terminated my open FTP session cleanly), and looked in Control Panel/Services. Sure enough, I saw War FTP Daemon 1.65 in the service list, with a startup type of Automatic. I started the service, and connected again.
· I couldn’t enable both the service and the GUI to run simultaneously (although I found instructions on how to do this). Ah well, one at a time is fine…
· As stated above, it’s a pain to reconfigure multiple users.
· Most of all—I haven’t scratched the surface of what this incredible application can do. You can set up custom “hello” messages for your FTP logins. You can setup an entire Virtual File System that allows you to customize what logins can see/not see without requiring you to do anything with permissions. You get the source code so that you can tinker with stuff you don’t like if you so desire. In the end, as I went deeper and deeper into the application and the online help and technical documents all I could think was “This is free??”
This application is an outstanding effort!
Coming up next time, we’ll look at Perl for Windows/NT. Although often criticized for its arcane syntax and mind-numbing search expressions, Perl offers the willing learner the ability to accomplish virtually anything—and all in 4 lines of code! We’ll find the latest NT Perl ports and utility packages so that you can perform your own Perl programming feats of legerdemain. So until then, surf safely!