Other TCP/IP Security Issues
The TCP/IP networking suite provides a host of commonly used services and protocols. Each represents potential security vulnerability. The following is a sample of issues that could impact Windows 2000 environments using the following TCP/IP suite applications:
ftp. The File Transfer Protocol is often used by anonymous user accounts that do not require password protection, which permits access to a system by virtually any user. Once inside, hackers can try to work their magic. To guard against this, set permissions to Read-Only, and restrict directory access. (Or, do not set up anonymous accounts at all unless you really need them.)
tftp. The Trivial File Transport Protocol is a relaxed version of ftp, in which generally any files can be transferred without a passwordconceivably even system files such as the Windows 2000 Registry. We strongly recommend that tftp be disabled by removing the tftpd file. In Windows 2000 assure that the service is not enabled.
finger. This utility outputs information about users on the system. After a hacker has a list of user names, systematically discovering passwords becomes the game. This facility should also be disabled unless absolutely required.
DNS. The Domain Naming Server includes vital network information. Protect yourself by segregating it. For example, two servers can be used with a firewall separating external Internet-required data from inside user account information. You may also want to set filters to allow DNS queries to go only to one specific DNS machine on the DMZ, and only allow zone transfers to and from your parent servers.
Telnet. Telnet data is transmitted in plain text, along with the user name and password. This makes Telnet a valuable tool in an internal environment, especially when attempting to view data on heterogeneous UNIX and Windows 2000 systems. However, outside a secured environment, the user must be aware that security breaches can occur with this open transmission.