HostedDB - Dedicated UNIX Servers

nt-part2_42 Analysis of the Security of  Windows NT 1 March 1999 42 •   Lockout after n bad logon attempts, where n must be assigned a positive integer value. •   Reset count after m minutes, where m specifies how many minutes shall pass before the bad logon counter is cleared.    •   Lockout duration, where forever (i.e. until an administrator unlocks) or duration in minutes are the possible choices. 5.6  Port Filtering The TCP/IP protocol suite was not specified to be particularly secure. Lately, a number of successful network attacks have been described. Many of these intrusion attempts have utilized different protocols in the TCP/IP family, e.g. TCP and UDP. A common way to minimize weaknesses in a system is only to permit services that are proved secure and necessary, see [22] for a detailed discussion on this topic. In NT, blocking communication to both TCP ports and UDP ports is possible. This implies that a system can be configured to accept only packets sent to specific ports on which secure and necessary servers listen. This feature is referred to as TCP security in NT terminology. 5.7  Security Features in RAS As already stated, RAS opens a network to the world. Some users will appreciate this feature while some will not. For example, sales persons and consultants might do their job more efficiently if they have the possibility to access files and other resources from the office when they are out on the field. Administrators as well as people responsible for security know fairly well that this feature may also be taken advantage of by an intruder. For the latter reason, RAS has a variety of mechanisms to protect against attackers. 5.7.1  Authentication In PPP, three different authentication protocols are supported. The first and least secure option is enabling the RAS server to allow clear text passwords. In this case, the Pass- word Authentication Protocol (PAP) is used. A more secure authentication protocol is the Shiva Password Authentication Protocol (SPAP). Unlike PAP, SPAP encrypts passwords before sending them over the wire. SPAP is used if either side of the com- munication uses a product from Shiva, Inc. However, the most secure authentication protocol [64] is the Challenge-Handshake Authentication Protocol (CHAP), which uses DES-encrypted authentication. This protocol is described in appendix A.7.    5.7.2  Callback With the callback facility, a user will be called back after s/he has provided a valid user name and a valid password. This provides added security, since NT now knows from where the call came from. There are two different kinds of callbacks: •   Predefined number, which implies that a predefined number will be used in the call- back.